Identity Theft and Business

Longer Term Effects of ID Theft

2010-03-30T08:02:00.000-07:00

The story below may be a great example of how identity theft can occur at any time from some unlikely sources. A person takes out a student loan and gives their personal information out. An incident like this happens and they get the obligatory "credit monitoring" service. Yet several years later they find that they have been victimized in a dozen non-credit types of crimes. They find that mysteriously their medical insurance policy is waivered due to multiple false claims made. They discover that dozens of small retail accounts have been opened purchases were made and never paid. Now they are being hounded by credit recover agencies or attorneys trying to collect on bad debt. During a routine traffic stop they find warrants have been issued because their ID was used with police after multiple traffic violations. They are arrested. Credit monitoring alone cannot help those victims. Everyone needs to be aware of the outcome of millions of ID theft cases each year that are not directly related to the credit bureaus or banks and credit cards. These far-reaching effects are much more serious and very complex issues to deal with. An ID theft victims needs the help of professionals who will advocate for them, and even represent them in righting corrupt personal file entries throughout the system.

Personal Information of 3.3 Million Stolen
A student loan firm is providing credit monitoring and protection services to some 3.3 million people affected by a data breach, the Washington Post reports. A spokesman for Educational Credit Management (ECMC), a nonprofit student loan guaranty agency headquartered in Minnesota, said portable media containing personally identifiable information was stolen in an "old-fashioned theft" from company headquarters. The stolen information included names, addresses, birth dates and Social Security numbers, but no banking information, an ECMC press release said.

Office Awareness Training

2010-03-10T10:13:00.000-08:00

When I speak with business owners about the dangers of data breaches within the office, I often have to point out the issue of copy machines. Copiers can record thousands of documents on the internal hard drive. As mentioned in the article below it is very simple to capture the contents of the drive on a laptop in just a couple of minutes. This also applies to the copy machines in office supply businesses and copy shops. As most private businesses lease their copiers it is incumbent on the rental company to erase hard drives before removing the machine from the client's office. They need to be reformatted to insure the data is erased.

"When you protect the information on others you are protecting them, when someone else does it they are protecting you."

Copy Machines Pose Privacy Risks
Boston's WBZ-TV reports on a privacy threat looming in homes and offices: copy machines. Security expert John Juntunen demonstrated how easily accessible a copy machine's stored data can be, connecting his laptop to a copier and downloading a child support document and one woman's IRA application containing her address, Social Security number and date of birth. Another hard drive produced contact information for Caroline Kennedy. Though companies are supposed to wipe used hard drives clean before selling a machine, that isn't always executed, the report states. "I think it's an issue that's going to have major ramifications," says security expert Sean O'Leary.

Lifelock Settles with the FTC

2010-03-09T13:54:00.000-08:00

For all of those who have purchased a Lifelock product without reading the contract here ya go.

Federal Trade Commission Chairman Jon Leibowitz and Illinois Attorney General Lisa Madigan announced a settlement today that requires LifeLock, Inc., to pay a total of $12 million to settle charges that its claims of providing comprehensive identity theft protection were false. According to the FTC, LifeLock did offer some protection against specific types of ID theft, but the company's practice had no effect on the most common form: the misuse of existing credit card and bank accounts. "While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it," Leibowitz said.

I have many clients who had a Lifelock plan until I explained to them what they are not getting in the bargain. Please read the fine print before you buy!

What, Medical Identity Theft?

2010-03-05T14:34:00.000-08:00

A little over three years ago I was speaking with a good friend and author on identity theft. He had predicted that medical identity theft would soon be the new frontier of identity theft. He had been soundly rejected by the press and some so called experts. They put down his theory as soundly as if he had purported that the world was flat after all. In fact John Gardner was exactly right. Read the article below to see just how pervasive medical identity theft and fraud has become.

A new survey from the Ponemon Institute shows that nearly six percent of American adults have been victims of medical identity theft, with an average cost per victim of $20,160. The cost comes from the efforts victims face to sort out what happened with concerned parties such as doctors, hospitals, insurance companies and credit agencies, the San Francisco Chronicle reports. "The National Study on Medical Identity Theft" is based on findings from 156,000 people who agreed to discuss the general topic of identity theft, with 5.8 percent confirming they had been the targets of medical ID theft. Based on those statistics, the study estimates that 1.42 million adults in the U.S. may have experienced the theft of their medical identification information.

The Cost of Data Theft

2010-03-02T10:26:00.000-08:00

The pice to Fix Data Theft: $7 Million and Counting
The theft of 57 unencrypted hard drives from BlueCross-BlueShield of Tennessee has given thieves access to personal data on upwards of 500,000 customers and is costing millions to fix, PCWorld reports. The drives contained recordings of more than one million customer support calls as well as 300,000 screen shots, which in some cases included names, birthdates and Social Security numbers. BlueCross is now auditing its security practices, the report states. The process of investigating the breach and notifying customers has cost more than $7 million so far. According to Michael Spinney of the Ponemon Institute, while the average data breach costs $6.75 million, the company could be paying much more due to the complexity of the breach.

FTC to Appeal Red Flags Exemption for Attorney Firms

2010-03-02T10:15:00.000-08:00

FTC Set to Appeal the Red Flags Rule Exemption for Attorneys and Law Firms

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC. The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms. The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act. In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The program must be designed to detect, prevent and mitigate the risk of identity theft. Prior to the district court’s decision, the FTC had taken the position in publications and numerous panels that attorneys and law firms meet the Rule’s definition of “creditor” because they allow clients to pay for legal services after the services are rendered.

View the FTC’s notice of appeal notice last week stating its intention to appeal the court's judgment notice
http://www.huntonprivacyblog.com/uploads/file/ABA_v__FTC_Notice_of_Appeal.pdf

Iowa Victims Fear Identity Theft

2010-02-24T11:23:00.000-08:00

Thousands of Iowa residents fear they could become victims of identity theft after the state's Racing and Gaming Commission licensing database was hacked during routine Internet maintenance last month, the Des Moines Register reports. The FBI is investigating the breach of the database, which includes the names, addresses, dates of birth and Social Security numbers of 80,000 current and former casino and racetrack employees. Experts say those whose information was compromised have every reason to be concerned. Citing examples of financial and medical identity fraud, California-based attorney Mari Frank said, "the sky is the limit as to what could happen...

Can anyone think of a reason to NOT have identity theft protection and restoration services when this sort of thing can and does happen almost daily? There is only one such service that provides complete restoration for all types of identity theft issues. The one I am proud to represent.

Top Five Mistakes of Privacy Training Programs

2010-02-09T10:56:00.000-08:00

I won't prattle on about the breach of 50,000 Californians' SSNs along with their names and addresses inadvertently sent out last week by the Cal Dept of Health. The envelopes actually had the SSNs printed on the envelopes sent to some 50,000 recipients of health care aid. Anyone who can't reach out to their own comprehensive identity theft restoration service and avoid identity theft and the fallout from records entries should be ashamed.

Instead I will report the following...
Good intentions aside, many companies are missing the opportunity to effectively train employees on data protection. "Many corporations have adopted a check-box approach toward compliance" with the obligations set out in various data protection regulations, says Jay Cline, CIPP, in a Computerworld article. Cline says common mistakes that companies make include separating rather than melding privacy, security and records management and ethics training; using too few communications channels; and failing to measure training effectiveness. "Employee training is probably the most important component of an information risk management process," he writes. "Yet few companies actually measure..."
Full Story

Mortgage Broker Fined

2010-01-26T10:29:00.001-08:00

I recently had a conversation with a mortgage broker that was not aware of the importance of security is to client transactions other than a vague awareness of the risk of identity theft. There are numerous business sectors that simply do not understand their responsibilities and liability when it comes to protecting their clients' personal information. Chief among them are mortgage and legal professionals.

A mortgage broker charged with improperly disposing of consumers' personal financial records has paid a $35,000 settlement to the Federal Trade Commission (FTC). Gregory Navone, of Las Vegas, disposed of about 40 boxes of sensitive consumer records in a public dumpster, according to the December 2008 FTC complaint. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses and at least 230 credit reports. The settlement also requires Navone to employ an information security program for sensitive consumer information, and to hire an independent, third-party security professional to conduct compliance audits annually for the next 10 years.

What is Identity Theft?

2010-01-21T08:42:00.000-08:00

With all of the articles about breaches, including the ones I have posted, sometimes it is important to get back to basics about identity theft itself. Below is an excerpt from a PC World article published yesterday which outlines the definition of identity theft as it has evolved.

"Identity theft happens when your personal information is accessed by someone else without your explicit permission."• "Identity fraud occurs when criminals take that illegally obtained personal information and misuse it for their financial gain, by making fraudulent purchases or withdrawals, creating false accounts, or attempting to obtain services such as employment or healthcare. Personally identifying information such as your Social Security number, bank or credit card account numbers, passwords, telephone calling card number, birth date, name, address and so on can be used by criminals to profit at your expense."• "Almost 10 million Americans learned they were victims of identity fraud in 2008, up from 8.1 million victims in 2007.

"Identity theft also falls into this category [of financial fraud]; cases classified under this heading tend to be those where the perpetrator possesses the complainant's true name identification (in the form of a Social Security card, driver's license, or birth certificate), but there has not been a credit or debit card fraud committed."

"Just Another Data Breach"

2010-01-19T09:33:00.000-08:00

Data breaches have become so ubiquitous that more often than not they go unnoticed, and often unreported.
I wonder how any victims of identity theft resulting from those breaches feel? While it is reported here that the number of breaches is on a decline the number of breached records is increasing and the number of ID theft victims holds steady. vIts all in the numbers.

ITWire.com reports that the number of data breaches reported to the media has declined significantly over the past 18 months. The article cites an Open Security Foundation blog post that says the number of breaches reported in global media has dropped from about 1,000 per month between 2005 and 2008, to about 500 per month. The blog speculates that boredom in the press may be a cause. "Just another data breach" isn't news anymore, the report states.
Full Story

Malice Outpaces Error as Breach Cause

2010-01-15T13:58:00.000-08:00

In its annual report on data breaches The Identity Theft Resource Center (ITRC) says that 2009 marks the first time that malicious attacks have moved beyond human error as the leading cause of data breach, Dark Reading reports. According to the ITRC's "2009 Data Breach Report," hackers and insider theft accounted for 36.4 percent of breaches, human error 27.5 percent. The ITRC also found that compromised paper documents were involved in 26 percent of data breaches. In the 2009 report, the ITRC says that while the number of officially reported data breaches fell in 2009, it cannot determine if the overall breach rate is falling because of the number of unreported breaches.
Full Story

An Armed Society

2010-01-07T07:50:00.000-08:00

Ever hear of the phrase "An armed society is a polite society"? It does take things a bit far but the principle is right on the money. I've said time and again that if you can successfully remove the value from the data then you can actually reverse the trend in data theft and misuse. It shouldn't be the sole responsibility of the "data keepers" to protect it from lurking thieves. Just as in terrorism or any crime of attack, the good guys have to be right 100% of the time where the attacker only has to be right once. Not exactly great odds.

When you look at the practical percentages of theft surrounding your personal data you can see that the odds are lower of your stuff being stolen and used, than is widely perceived. Currently there are roughly 10 million domestic identity theft victims each year according to FTC and Ponemon Institute estimates. A little over 60% of those cases are the result of data theft from a public or private entity. But that doesn't mean that it is any less devastating. The problem is that when you entrust the data keeper to report the loss to you, or to fix a breach weak link, or frankly do anything for you after the fact, you are dreaming. No breached entity will tell you that the breach will likely result in identity theft. They will run damage control instead, meaning that they will downplay that aspect to protect their public image. The problem with that is that time is now on the side of the thieves to sell or use your personal information. A breached entity can take months or in some cases years to notify you of the loss. Sometimes not at all if the breach doesn't rise to the threshold the states' reporting laws have in place.

In light of that reality why then can't we all empower ourselves to be our own first line of defense when it comes to our personal data? With the power to act in our hands we are able to react to incidents of breach and identity theft much faster and with greater precision than is possible from the university, government agency, employer, or hospital, etc, that lost it in the first place. A professional agency dedicated to notifying us when our information is misused and report that misuse within hours is our best line of personal defense. If that agency can not only report these incidents to you in a timely way but also act as your proxy to correct the errors and false records entries on your behalf when it does occur is the most direct way to protect ourselves.

Tangentially, by having such a representative we are lowering the value of the data to the thieves. Illicit data brokers and identity thieves rely on time being on their side to profit from the misuse of your information. They need days or weeks to actually use the data to make purchases or obtain insurance, file false claims, get employment, etc. Draining bank accounts or running up credit purchases, while pretty awful, are largely handled by the banks and credit card companies themselves. With timely reporting a bank generally will help the victim but only with timely reporting. That means within hours or a day or so at the longest. Beyond a few days a banks' responsibility is much reduced. If you are not aware of the misuse you cannot report it to the bank. An agency that can notify the client within hours of an identity theft episode can shut down the misuse and render that identity information nearly useless almost immediately. The client is isolated from the incident, identified as a victim of identity theft, and the agency then can begin the restoration of the records or credit files affected. They will also look for other misuse within other databases in the event the incident is more widespread than the original incident. This can all take place within hours of the incident. Not a bad timely response to the attack in my opinion.

Welcome to the Other Side of New Year's Day

2010-01-06T13:08:00.000-08:00

Now that we have successfully transitioned into 2010 with our skin intact I want to once again return to the subject of our PII, those who wish to have their way with it, and the hapless aggregators and keepers with file cabinets and servers chock full of it. To that end I have included links to a couple of things to ponder in these first few days of the year.

Navy's InfoSec Chief Suffers Sixth Breach
The Navy's Chief Information Officer Robert Carey recently received notification of a compromise of his personally identifiable information (PII), reports govinfosecurity.com. For Carey, it was the sixth such notification, and came from the Army--where he hasn't worked in 24 years. Carey used the event to describe his philosophy on data protection and enumerate a seven-point summary of his department's efforts to reduce the risk of a breach within the Department of the Navy. "In today's Information Age, PII must be treated with extreme care because unauthorized access to someone's digital identity can and does cause grave consequences," Carey wrote.
Full Story

Three Breaches Compromise 30,000 at Penn State
The Pittsburgh Post-Gazette reports that Penn State has begun the process of notifying nearly 30,000 individuals that their personally identifiable information (PII), including Social Security numbers, may have been compromised as a result of three separate malware infections discovered in late December. The school said it has no evidence that the individual or organization behind the malware gained access to the PII, but has decided to notify as a precautionary measure. "We do not have any indication that it was accessed by unauthorized parties. We prefer to err on the side of caution," said spokesperson Annemarie Mountz. The event was the second known breach at Penn State in 2009.
Full Story

Does it occur to anyone that for as long as we have been entrusting our personal information to others they have been losing it, a lot? One of life's principals is that "Continuing to do the same things while hoping for different results" is a hopeless waste of time. If they continue to lose our personal information why then do we continue giving it to them without any sort of check and balance? Certainly all of the laws passed have not had any nulling effect, nor any of the so-called procedures and software "solutions". This is not a problem that we have to accept as a given that requires a highly technical or overly complex set of controls. This is a very basic condition that if we, as the actual owners of the prize were to take into our own hands, could quite well nip in the bud. Think about it. Do we all put our prized silver in a big building or a bunch of buildings and then hire people to guard it or do we keep our own at home and watch it our selves?

The examples above are not isolated cases unless you consider the US Navy and Penn State to be marginal. This is big time mainstream stuff.

Oh, Happy New Year!

Great Article

2009-12-15T09:24:00.000-08:00

I intend to take the balance of the year (two plus weeks) off from this column. In the meantime the link below is to a very good article written by a colleague, Julie Friend. I would encourage everyone to read this piece that shows how data loss and identity theft can have far reaching effects on individuals and businesses alike.

Someone recently told me that the release of those emails proved that the case for climate change was overstated. This individual was showing his ignorance of the realities of global weather changes. Similarly, I see a number of people who should know better who think that those of us who write and work in the field of data protection are overstating the case. I guarantee that not one single victim or breached business would agree with that. Ms. Friend and I along with many others have seen too many cases of devastating loss, arrest, character assassination, and records corruption to think for a moment that this is an overstated issue. If anything we have not reached enough people.

Originally published in Voluntary Benefits magazine Ms. Friend has graciously allowed me to provide this link for you.

http://www.voluntarybenefitsmagazine.com/article-detail.php?issue=issue-7&article=identity-theft%20%E2%80%93-yes-it%E2%80%99s-real-and-it-can-happen-to-you!

New Massachussets Regulations go into Effect in March

2009-12-07T09:52:00.000-08:00

Now is the time to start gearing up for compliance with the Bay State's strict new data protection regulations, reports the Boston Herald. The rules take effect in March. Businesses that ignore them "could be at risk," said Bob Baker of the Smaller Business Association of New England. The regulations are widely considered the strictest in the nation. They require entities that possess personal information on any Massachusetts resident to employ certain measures to protect that data. According to Barbara Anthony of the Massachusetts Office of Consumer Affairs, the goal of the law is to "create a culture of security consciousness with respect to the handling of personal information." Editor's note: Privacy Tracker subscribers, for a compliance guide on the Mass. data protection regulations, visit the Privacy Tracker Web site.
Full Story

All covered businesses should follow these guidelines carefully. What will happen within the next 12 months is that this will become a federal set of regulations, and at that point there will be no time to argue over compliance and exemptions. Smart companies will put this sort of program in effect prior to that.

Two Important Stories

2009-12-03T08:07:00.000-08:00

These two stories although seemingly unrelated, point out two aspects of identity theft that are very much related. In January of this year the Kaiser Permanente Group headquarters in Oakland Ca. experienced a breach of employee personal information from its’ Human Resources offices. The person charged with the theft was a temporary worker in that office.

We see in these stories the relationship between the current economic climate, a crime of opportunity that will generate cash for the thief, temporary workers who have no real sense of responsibility the employer, and the irrefutable fact that while we can be diligent with our personal information, it is mostly in the hands of businesses and governments, and out of our control.

Business owners and Privacy specialists need to take stock of company risk by assessing their internal systems, and putting in place policy guidelines for employees to deal with sensitive information, and procedures for handling breaches when they occur.

All individuals need to be reminded that their ultimate information security policy should include tools to deal with these corporate breaches that result in identity theft. One cannot correct their own insurance or SSA files, their DMV records, and other databases once corrupted by identity theft fallout. We need that help of professionals in the business of restoring identities of fraud victims.

Medical ID Theft on the Rise
The recession has contributed to a rise in medical identity theft, and as health records move online, the problem is expected to worsen, reports the Wall Street Journal. "Medical identity theft is the fastest-growing form of identity theft," says Jim Quiggle of the Coalition Against Insurance Fraud. Most of the fraud occurs at the hands of healthcare workers who are paid to sell patients' information, the report states. Incidents of medical identity fraud are highest in states with large retiree populations. Experts advise consumers to monitor their medical and credit records, keep insurance cards private and avoid providing personal information over the phone.
Full Story

Temporary Workers Come with Risk
'Tis the season to keep an eye on temporary workers, according to the general manager of the Payment Card Industry Security Standards Council. "Vigilance is key," Bob Russo told Computerworld, adding that it's a good time of year for managers to "hover over" workers. Russo says that temps, especially, can pose a data security risk to businesses. He recommends that organizations conduct background checks and training, and says they should take care to get their access controls in place. Other tips include monitoring the use of handheld scanners, reviewing log data daily and implementing "hard" firewall policies.
Full Story

Data breached Records Skyrockets

2009-11-30T09:10:00.000-08:00

Forbes reports on the numbers of data breaches during the first 11 months of 2009. According to the Identity Theft Resource Center, government agencies and businesses reported 435 breaches as of November 17, the report states. But that number, which would indicate a 50 percent reduction from last year's statistics, is deceiving, says Forbes. "In fact, the number of personal records that were exposed...has skyrocketed to 220 million records...compared with 35 million in 2008." The report highlights two of this year's major breaches--Heartland Payment Systems and the National Archive and Records Administration.

If anyone is still of the impression that data breach is a fading issue needs to understand this.
The people that are actively seeking to steal and sell sensitive personal information are getting better at it. This is large-scale international crime and the profits are tremendous.
Often times the persons responsible for the collection of these data are not the identity thieves. The lists and files are sold as many times as is feasible to anyone who can pay. Organizations from al Qaeda, to international underground immigration rings have been linked to the use of stolen identifiable information to further their operations.

In the speaking engagements I do I always advocate the use of common sense when it comes to safeguarding your personal information, but also that most all identity theft is the result of large scale data theft and therefore cannot be protected by us as individuals.
If there is any one lesson I hope everyone gets from this is to understand the scope of data theft and identity theft. To understand it is to be able to secure ourselves much as we do for our health, by having a mitigating protection such as we do with healthcare insurance. But keep in mind that identity theft "insurance" per se cannot replace money lost to identity theft, only out of pocket expenses incurred by you the victim in pursuit of clearing up an identity theft episode. Only a restoration service can clear up records and reinstate the victim to pre-theft status.

Keeping Personal Data Private

2009-11-25T09:10:00.000-08:00

The Personal Data Privacy and Security Act of 2009 went to the full Senate earlier this month and a New York Times editorial says that Senate leaders should find the time to vote on it. Sponsored by Vermont Senator Patrick Leahy, the bill "would put more protections in place for personal data" and would fill the gap in federal data protection legislation. "There are many important issues competing for Congress's attention," the editors state, "but keeping people's personal information safe should rank high on the list." The bill would criminalize the concealment of security breaches and mandate encryption, among other requirements.
full Story

Happy Thanksgiving everyone!

Another Suit Filed Over Red Flags Rule

2009-11-16T11:04:00.003-08:00

The American Institute of CPAs (AICPA) has filed a lawsuit against the Federal Trade Commission (FTC) over the Red Flags Rule, reports WebCPA.com. AICPA says the FTC is wrong to interpret that the rule should apply to accountants. The Red Flags Rule requires that financial institutions and creditors take certain measures to prevent and recognize identity theft. "We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered," said AICPA president and CEO Barry Melancon. Late last month a U.S. District Court judge granted an American Bar Association motion to prevent the FTC from holding practicing attorneys accountable to the rule.
Full Story

Anyone who has read or even scanned the Red Flags legislation cannot help but to see that this is intended to lower the incidents of identity theft through a sensitivity and understanding of what some of the causes are. Attorneys seem to be sensitive more to having oversight from outside their ranks than to stopping identity theft. I am pretty certain however that when an attorney suffers at the hand of identity thieves they want to know what the company whose compromise caused the theft had done to safeguard their information prior to the breach. Not wanting to lose their own thunder the lobbyists for CPAs feel the need for their own exemption. That is evident in the statement by Mr. Melancon who mistakenly links billing to theft. It isn't the billing Mr. Melancon, it's the data lying about in your company waiting for someone to walk out with it on a CD, or to hack your servers and get it.

Again, "When you safeguard the information you keep on others you are protecting them. When someone else does it they are protecting you."

Red Flags Delayed Until June 1, 2010

2009-11-02T07:52:00.000-08:00

At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the "Red Flags" Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.
Read the FTC Announcement:
http://www.ftc.gov/opa/2009/10/redflags.shtm

And in a related story I am sorry to report;

The American Bar Association is celebrating a ruling by the U.S. District Court for the District of Columbia barring the Federal Trade Commission (FTC) from applying the requirements of the Red Flags Rule to attorneys.
"This ruling is an important victory for American lawyers and the clients we serve," ABA President Carolyn B. Lamm said in a written statement. "The court recognized that the Federal Trade Commission's interpretation of the Fair and Accurate Credit Transactions Act (FACTA) over-reaches and its application to lawyers is unreasonable. By voiding the FTC's interpretation of a statue that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."
The FTC is expected to appeal the Court's ruling. FTC General Counsel Willard Tom said, "It's safe to assume the Commission is going to consider its options very seriously. We think there is no reason lawyers should be exempt."
Read more:
Ruling bars application of FTC 'Red Flags Rule' to legal profession

http://www.wisbar.org/AM/Template.cfm?Section=News&Template=/CM/ContentDisplay.cfm&ContentID=87099

I hope the legal profession is aware that a lot of people (including me), are going to pay close attention to the security practices of law firms. This means of course that law firms will no longer be tossing paper client records into dumpsters as has happened several times in the last year, and if police reports are accurate seems to be a favorite way for law firms to dispose of old records. As I reported last year I also had two encounters where a County Superior court judge handed out materials on recycled paper containing personal and banking information that had been previously entered into evidence. The way I see this the legal profession has shown itself to be not only ignorant of the intention of the laws and due perhaps to industry hubris cannot bear to be regulated by an outside authority.

When your or my identity is misused by thieves as the result of a law firms lax information security practices will we really care that they successfully lobbied for exemption to a procedure that might well have prevented the crime from even happening? What are they celebrating, a win?

The FBI Favors A National Breach Notification Standard

2009-10-29T09:33:00.000-07:00

The Federal Bureau of Investigation is in favor of a national data breach notification standard, reports Nextgov.com. Agency officials say it would help law enforcement fight cybercrime, the report states. During a cybersecurity discussion in Washington yesterday, the head of the FBI's Cyber Criminal Section said such a standard "would help us tremendously, particularly in terms of efficiency in conducting investigations." Troy said that widespread reporting would help cyber cops discover links and potentially prevent similar attacks. Senator Leahy's Personal Data Privacy and Security Act, introduced in July, and a Senate cybersecurity bill to be introduced this year includes or will include breach-notification rules.
Full Story

I've long said that unless the states can get together and pass comprehensive legislation to enforce data breach notification then the Federal government will.

Then there is this from Javelin Research,

Breach Notifications Fall Flat on Consumers

The Credit Union Times reports on study findings that suggest consumers do not understand the importance of data breach notifications and, as a result, fail to protect themselves from fraud. Javelin Strategy and Research says that consumers who have been notified of a breach of their data were four times more likely than the public at large to experience fraud, the report states. The firm said that 19 percent of consumers who received a data breach notification over the past year have become the victims of fraud within a year of the notification. Full Story

Perhaps federal regulations will also help to improve public awareness. In my experience almost no one is aware of the breadth of identity theft and its various permutations until they get some honest education on the subject. Then almost to a person they see the beauty of notifications and what than can mean as an early warning. They also usually see the great benefit of having a good service in place ahead of time.

When you are a victim of identity theft what do you really want in a service? Do you want an "Insurance Policy" , or do you want comprehensive restoration? Since insurance can ONLY replace out of pocket expenses incurred when trying to perform your own restoration what is the point of underwritten insurance?

How about credit monitoring? Is that of any real help if there isn't any follow up to work with the victim to clear the erroneous notations and record entries? Again, without restoration no monitoring service is of any substantial value.

Red Flags Exemptions for Small Businesses

2009-10-28T07:45:00.000-07:00

This is very important for all business owners to read.

The U.S. House of Representatives this week unanimously passed legislation that would exempt certain small organizations from complying with the Red Flags Rules.

H.R. 3763 unanimously passed the U.S. House of Representatives this week, and would amend FACTA and the component Identity Theft Red Flags Rule to exclude health care, accounting, and legal practices with 20 or fewer employees from having to comply with the regulations, set to be enforced starting next month.

Also, the bill would create a provision to enable other businesses to apply for exemption. To be exempt from complying with the regulation, the bill stipulates that a business would have to meet at least one of the following guidelines:
It must know all of its customers or clients individually;
It must only perform services in or around the residences of its customers; or
It must not have experienced incidents of identity theft, and identity theft must be rare for businesses of its type.
The bill now will move to the U.S. Senate Committee on Banking, Housing, and Urban Affairs for a vote.

It is not yet known at this time if this pending bill will further delay the FTC's enforcement of the Red Flags Rule, which is still currently set to begin on 1 November, 2009. Read more:
New ID theft rules may not pertain to small businesses
by: Angela Moscaritolo, SCMagazine.com

Which Story to Post? Payroll company loses PII, and Underreporting losses

2009-10-16T10:34:00.000-07:00

It isn't often I am faced with a decision as to which story to post here. I generally shy away from reporting specific breaches unless the particular story reinforces a point I am trying to stress regarding employee training perhaps or simple gross negligence in the face of what should be common knowledge amongst the business community.
In this case however, I found two such stories on the same day and have them here for you.

The Washington Post reports that, for the second time in a month, hackers have gained the login credentials of PayChoice clients. The company sent a notice to customers yesterday to let them know that thieves had exploited a weakness in the password-change component of the company's online payroll portal, the report states. PayChoice has since disabled the site and modified logins. In its e-mail alert to clients, PayChoice said "...we determined that valid user credentials...were used in an unauthorized manner to...have payments made to fraudulent bank accounts." Full Story

There is simply no excuse for a payroll company to have such an incident in light of the laws in effect (FACTA Red Flags Rules specifically), that require them to take specific precautions to prevent just such a breach.

This next item shows clearly that giving discretion to breached entities as to whether and when to report breaches serves no one. People who have had their information mishandled or lost while it is in the trust of an organization have the right to know about their increased risk so that they might take appropriate steps to protect themselves. That is the problem that I and others have issues with the reporting laws that give wide discretion to not report or delay reporting information losses.

The results of an audit involving the loss of Connecticut taxpayers' data show the state took too long to determine whether confidential information was compromised, reports The Day. The names and Social Security numbers of 106,000 Connecticut taxpayers were exposed when a Department of Revenue Services (DRS) employee's laptop was stolen from a parked car. "DRS botched its initial response to the theft," said AG Richard Blumenthal who took part in the audit. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets." But Blumenthal hailed DRS for tightening access controls, encrypting data and developing data breach procedures since then. Full Story

Extroadinary Quote

2009-10-15T08:48:00.000-07:00

"The more people who have your data, the greater likelihood that either they're going to lose it or a rogue employee will abuse it," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.

We could use more people like Fred Cate

IRS Personal Identity Security Issues

2009-10-14T08:43:00.000-07:00

The Internal Revenue Service says that efforts to help protect taxpayers from identity fraud, spearheaded by the agency's Online Fraud Detection and Prevention Office, are paying off. The agency points to more than 3,000 suspected phishing and fraud-related Web sites being shuttered since the office opened in 2007. However, Government Computer News reports that the IRS also struggles with internal data security, and that hundreds of taxpayers were affected by 149 breaches last year. A Government Accountability Office report said the "IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft," which the IRS attributes to weakness in authorization and authentication.Full Story

Every federal agency is struggling with these issues. This is yet another reminder that information security is a paramount problem. Personal information is fast becoming the most valuable asset within any enterprise. Not just company secrets but personal information on employees and customers. Our information is in many places where we have no control over its' security. Even the agencies and enterprises have no absolute control as you see here. At last count in 2008 approximately 62% of all breaches were the result of employees taking the data out of the office for the purpose of selling it or using it themselves for financial gain.

So Much for Red Flags?

2009-10-09T10:26:00.000-07:00

A Maryland Bank Tosses Personal Records in the Trash.

I am shocked but frankly not surprised to see this story. Even though Banks were among the businesses that were supposed to be Red Flags compliant prior to Nov of 2008 I can guarantee that many are not. it is just as obvious that they do not take the intention of training seriously as is outlined in the FACT Act (where the Red Flags Rule comes from). FACTA supplemental material from the FTC makes training an important component of any data protection program. I don't think anyone who reads this column would have done something as irresponsible as to toss out personal records so haphazardly. The reason is that you are aware of the risks. Prepare the bank employees with the same sensitivity and this story would not have needed to be written. Its not as much about signing off on a compliance document as it is to understand why compliance needs to be done. Since it is the rank and file employee who handles personal information on the job it is not sufficient for banks and other businesses to orient only management staff. Security is only as good as the weakest link.

A number of customers in Rodgers Forge, Maryland were upset to learn that the institution which recently took over the local branch of the former Bradford Bank has been less than protective of their personal and banking information. Baltimore television station ABC2 reports that pages of documents were found discarded and unshredded in a trash bin outside the bank. Among them were bank statements and security-related information, days-old cancelled checks and photocopied driver's licenses. IAPP past president Chris Zoladz, CIPP, founder of the privacy consultancy Navigate LLC, comments on the breach Full Story

What is a Financial Institution or Creditor?

2009-10-07T14:22:00.000-07:00

When I speak to business owners about the new Red Flags Rule, (FACTA), I am often confronted by a common response. "We are not a financial institution." I hear that from law firms, accountancys, stock brokerages, and many other types of businesses that by the definitions below are financial institutions.

In an attempt to clarify once and for all what the Federal Trade Commission considers to be a “creditor” or a “financial institution” the links below will hopefully provide a definitive explanation.

The FTC recently clarified that “creditors” covered under the Red Flags Rule are as defined by the Equal Credit Opportunity Act (ECOA). This broad ECOA definition of creditor includes any business that bills or invoices customers after products are delivered or services are rendered.

The ECOA definition includes many small businesses and professionals such as contractors, consultants, lawyers, doctors, retailers and a spectrum of clinics and practices in the health care industry including those that submit medical insurance claims on behalf of patients.

From my business experience, the ECOA definition covers most every business and many public and volunteer sector organizations too, because at least on occasion, most of them bill or invoice for goods or services after they are delivered. An FTC staff attorney said that if a business bills more than once every two years, they should consider the business covered.

Congress Seeks Repeal of HHS Breach Rule

2009-10-07T09:53:00.000-07:00

Members of the House Committee on Energy and Commerce are concerned that the data breach notification provision included in the HITECH Act may have been undermined by a Health and Human Services rule, known as the "harm threshold," which gives breached companies leeway in deciding whether notice may be required. In a letter to HHS Secretary Kathleen Sebelius, committee chair Rep. Henry Waxman (D-CA) and other members of the committee urged the secretary to revise or repeal the provision, published in late September. Privacy watchdogs claim the HHS rule was drafted under pressure from the healthcare industry to eliminate possible financial repercussions stemming from a health information data breach.Full Story

I was heartened to see this news item. As I have said before harm thresholds give too much discretionary power to the breached entity in determining who and if to notify of a breach of NPI. The point of notification laws is twofold. To put teeth in the data protection legislation so that private and public enterprises will take heed, and also to give potential victims the advantage of an early warning when a breach does occur giving them the opportunity to respond and protect themselves.

While there needs to be a modicum of discretion on the part of investigators of data breaches to not reveal information that might compromise the discovery of evidence, it is the responsibility of the company or agency to make certain the victims are aware of the breach(es).

No business can really afford the fallout from a data breach, both in public confidence and the direct financial losses and fines. A proactive approach to information protection is essential including the identity theft awareness training of all staff regardless of job title.

76 million Veteran records in Question

2009-10-02T08:23:00.000-07:00

The inspector general of the National Archives and Records Administration (NARA) is investigating a potential data breach involving the sensitive data of 76 million military veterans, reports Wired. The records were contained on a failed hard drive that was returned to a contractor for repair without first being sanitized, the report states. The contractor passed along the drive, which was beyond repair, to a recycling firm. The NARA IT manager who reported the incident to the inspector general told Wired: "This is the single largest release of personally identifiable information by the government ever." NARA says it does not believe there was a breach of PII. Full Story

Ladies and gentlemen, let me make this as clear as a bell for you. There is only ONE way to insure that a hard drive is safe to recycle. Do not listen to any other advice!

There is only ONE certain way to render a drive of any kind useless to data thieves. DRIVE A BIG NAIL THROUGH THE DISK. If it is a flash drive smash it with a hammer, smash it good. Never recycle a laptop, photo copy machine, server, desk top computer, fax machine, unless you, the user, render the drives useless. Never leave it to anyone else to do.

They Keep Sending the Faxes

2009-09-29T13:40:00.000-07:00

For all of you who still are under the illusion that data breaches can be prevented I submit the following...

Doctors in three Tennessee cities have been sending sensitive patient information to the fax machine of an Indiana businessman for three years, reports the Tennessean.com. "This is a total breach of privacy," said the recipient of the faxes, Bill Keith. Despite repeated attempts to correct the problem, including calls, faxes and e-mails to state officials and the doctors' offices, Keith says his office continues to receive about five faxes each week that contain patients' data, including medical histories and Social Security numbers. A Department of Human Services spokesperson described the situation as "troubling." Full Story

Only 163,000 Breached Records Contained Social Security Numbers!

2009-09-28T09:23:00.000-07:00

The University of North Carolina is notifying 163,000 women that their personally identifiable information was exposed in a security breach, reports Computerworld. A hacker broke into a system containing records on women who participated in a federally-funded research project. The information of more than 236,000 women who have participated in the UNC School of Medicine mammography research study was exposed, but only 163,000 records contained Social Security numbers. The breach was discovered in July. The system was taken offline. A university spokesperson said that UNC is implementing precautions to prevent future breaches. Full Story

Now what do you think about breach notification laws? UNC believes these intrusions might go back several years and the women affected are just being notified now. Does this provide the best opportunity for the potential victims to prepare for what might result in the worst legal nightmare they will ever experience? How many of them are already having difficulties as the result of these breaches?

This also illustrates once again that our personal information is out there in hundreds if not thousands of lists and databases of all types. It really doesn't matter much to information thieves where the info is as long as they can get it. If there is a list somewhere that has value to a data thief then it is a target.

I will always maintain that the best defense against these and other types of data misuse is to have a service that will work for you in the event of a data theft episode. Don't wait until after the fact, have something in place first. Most services will not provide the same level of services after your identity is misused as they will as a preventive tool unless you pay a healthy fee. It is more cost effective to have a service in place first. When you consider that the average identity theft episode costs over $90K an identity theft service provides an amazing ROI.

Protecting Employee Information in the Hands of Others

2009-09-24T08:36:00.000-07:00

In Business Management Daily, Susan Lessack of Pepper Hamilton LLP offers guidance on protecting employee data handled by third-party vendors. Lessack says: "A good contract with your vendor is your best protection against liability," and cites specific terms to include in contracts, such as those that limit the number of people who can access the data. Lessack says that, although the vendor may be reluctant to enter into such a term, the contract "should stipulate that the vendor is legally responsible for any data breach that occurs during its engagement, and that it will indemnify you and your employees for any actions resulting from a breach." Full Story

At Pre-Paid Legal those of us who are qualified to work with companies in establishing a policy framework for information protection and risk management have taken this provision of the Red Flags Rule to heart as it deals with 3rd party contractors. We ask every client company to inform all of their contractors of the efforts they have made to protect PII and to request that they do the same or similar. It is just smart business to complete the loop of data security. Even an office cleaning service should adhere to the basic rules of security. I have visited numerous businesses where the cleaning service has more or less unlimited access to hard copy left on desks, in wastebaskets, and left on file cabinets, to name a few. When we include all contractors in the security formula a much better understanding of personal information security is created which gives rise to the FTC term "Culture of Security" that we are hopefully all striving for.

The recommendations of the FTC are sound. All RFIs and contracts should contain such language. In the not too distant future all federal government contracts will contain this kind of clause I believe. As regards liability FACTA clearly gives liability to all parties who share non-public information. If a company hires an HR service for example and that contractor suffers a breach of that information then the liability is shared by both companies. Even if identity theft does not occur both firms can be sued for a "Failure to adequately protect the information." There is no requirement under such circumstances to prove penury damage.

New ID Theft Bill Introduced in the Senate

2009-09-21T14:34:00.000-07:00

A new bill was introduced in the US Senate that would establish a new FTC office. This notice is very timely for me since I have been talking about such legislation.
New York State Senator Charles Schumer has introduced a bill aimed at helping prevent and diagnose identity theft, reports the Evening Observer. The Personal Data Privacy and Security Act would increase penalties for those who commit the crime and would make it illegal for organizations to conceal a security breach involving personal data. The law would also require entities that hold personal data to establish data protection policies. "Identity theft is a scourge on hard-working Americans, and it is a problem that is getting worse," said Schumer. The act would also establish an Office of Federal Identity Protection within the Federal Trade Commission. Full Story

For about 6 years the Federal Trade Commission has offered guidelines for businesses and other enterprises that have files and records containing personal data either of employees past and present, or of customers, or client companies such as HR and payroll businesses.
These guidelines were offered as a way for industry to police its' own operations and to train personnel on protecting the non-public info they handle.

These recommendations have been largely ignored by all but the companies regulated by the banking authorities such as the FDIC. During that time identity theft has become epidemic and is currently costing American business and individuals in excess of $45 billion annually. This figure does not reflect the identity theft losses due to personal theft and fraud, only those incidents that are the result of database losses.

Now in 2009 we are faced with legislation that will require all businesses, schools, and municipalities to take specific measures to thwart these crimes. This will likely be more costly than the voluntary measures previously on the table.

Moreover, the reporting aspect of this bill requiring business to reveal breaches to potential victims will have a profound effect on the public confidence of the breached businesses. In economic times such as we are in that is something businesses can hardly afford. Investigations into breaches will also be hampered by this requirement, and I'm certain that we will see push back from business on that point.

It is sad to see that businesses would rather do nothing than to take basic measures to safeguard information. My mantra holds true that; "When you protect the information you hold on others you are protecting them. When someone else does it they are protecting you."

Our data is only as safe as the weakest link. And with literally thousands of databases containing our personal data there are thousands of weak links to contend with.

Breach Notification Rule Effective Next Week

2009-09-17T07:56:00.000-07:00

Breach Notification Rule Effective Next WeekThe new HIPAA breach notification rule takes effect next week, reports HR.blr.com. The rule requires entities covered by the Health Insurance Portability and Accountability Act to notify individuals in the event their personal health information is breached, the report states. Starting on September 23, any healthcare provider, health plan or other HIPAA-covered entity that experiences a breach must notify those affected "as soon as reasonably possible," unless the organization protects the information using encryption or destruction, in which case they need not notify. If the breach involves more than 500 individuals, the organization must also notify the Department of Health and Human Services and the media. Full Story

This constitutes a real milestone in stemming identity theft on a federal level. As this bill passes we will have the first leg of a national reporting policy for all personal data loss. No legislation is perfect. There is still a threshold test for notifying potential victims, and we will most likely always have a conflict between notifying victims and investigating breaches. This is however a good beginning. The remaining conflict of course is the timeliness of the notification. Once notified of a breach individuals should be empowered to provide protection for themselves before any damage is done. The best scenario is to have this in place prior to a breach so that the potential victim will have the early warning and restoration services of professional identity theft specialists.

Red Flags Rule Extension

2009-09-09T13:27:00.000-07:00

I will be away for a bit on a business trip. Until I return please see the following.
This article is copied from todays newsletter from the law firm of Wiley Rein

Red Flags Rule Deadline Again ExtendedBy Amy E. Worlton, William B. Baker and Hugh Latimer September 2009 Privacy in Focus
The Federal Trade Commission (FTC) will "delay enforcement" until November 1, 2009, of the Red Flags Rule, previously scheduled to begin in August 2009. The delay reflects FTC recognition that some businesses may need more time to develop and implement written identity theft prevention programs.The Red Flags Rule may apply to companies that bill consumers in arrears (i.e., payment is not due at the time of service but at a later point). Even telecom companies, which are generally exempt from FTC jurisdiction, are likely subject to the Red Flags Rule, because they bill in arrears. Such companies are "creditors" subject to the consumer protections of the Fair and Accurate Credit Transactions Act and the Fair Credit Reporting Act. The Red Flags Rule, adopted under these statutes, requires a "creditor" with "covered accounts" to establish a written program for the identification, detection and response to "Red Flags"-patterns or specific activities that could indicate identity theft.The FTC's Red Flags Rule requires no particular practice or procedure. Rather, businesses must tailor their identity-theft-prevention programs to their particular risks. For example, "Red Flags" that probably require a response include alerts from consumer reporting agencies, law enforcement agencies or consumers themselves. Accounts should be monitored for unusual activity to the extent they are susceptible to fraudulent use. Businesses should verify new customer information, authenticate existing account holders and verify the validity of address change requests. (For more on the Red Flags Rule, see May 2009 Privacy In Focus.Companies should ensure that their identity-theft-prevention programs are up and running by November 1, as the FTC is unlikely to extend the enforcement deadline again.

It is vital for all of us to stay focused on a good privacy policy that is aimed at eliminating breaches of personal information. A proactive approach is the most effective way to achieve that goal.

Medical Identity Theft is on the Rise

2009-09-04T11:50:00.000-07:00

According to the Identity Theft Resource Center (ITRC), medical identity theft is on the rise as health insurance fraud becomes more common. NetworkWorld reports that, according to an ITRC study of 2008 identity theft victims, 67 percent had been charged for medical procedures they hadn't received and 11 percent were denied health or life insurance for unexplained reasons--possibly because of incorrect information resulting from fraudulent insurance claims. The NetworkWorld article includes a summary of the worst medical data breach incidents from 2009, including: Virginia Department of Health Professions hack (8 million+); Peninsula Orthopaedic Associates robbery (100K) and Moore's Cancer Center hack (30K).Full Story

Most companies hold personal medical information on their staff for purposes of health insurance, incident reports, cafeteria plans, and so forth. It was only about two years ago that there was a general concensus among professionals that medical identity theft was largely overstated despite warnings that it was largely underreported. Medical identity theft is by far the most difficult type of the crime due to far reaching implications. When medical information is used a lot of databases are automatically updated from insurance claim databases such as MIB, to hospital and doctor records. Blood types and allergy histories can be incorrect in records. When medical procedures are performed this can also effect credit worthiness if bills go unpaid, suits are filed by creditors, criminal files can be opened, in short the misuse of medical information can result in the corruption of dozens of types of records.

What we see in medical database breaches such as the ones above is only part of the puzzle.
Everyone needs to consider the restoration of medical records and legal representation when evaluating identity theft services.

Bernake was a victim of identity theft

2009-08-28T11:26:00.000-07:00

This was too good to pass up. Thank you Reuters!

Fri Aug 28, 2009 9:30am EDT
WASHINGTON (Reuters) - Federal Reserve chief Ben Bernanke was among hundreds of victims of an identity fraud ring that stole more than $2.1 million from consumers and financial institutions across the United States, Newsweek magazine reported on its website.
The head of the U.S. central bank and his wife were swept up in a case against the ring after her purse, with personal checks inside, was snatched at a coffee shop in August 2008, Newsweek reported, citing recently filed court documents.
Someone soon began cashing checks on the Bernanke family bank account, a crime that became part of a wide-ranging federal identity theft investigation that was already underway.
The targets were members of a nationwide ring that used a combination of old-fashioned thievery and high-tech fraud to loot the bank accounts of unsuspecting victims, Newsweek reported.
The investigation by the Secret Service and the U.S. Postal Inspection Service culminated in recent months with a series of arrests, criminal complaints and indictments brought by federal prosecutors in Virginia.
In a statement to Newsweek, Bernanke said identity theft is a serious crime that affects millions of Americans each year.
"Our family was but one of 500 separate instances traced to one crime ring," Bernanke said. "I am grateful for the law enforcement officers who patiently and diligently work to solve and prevent these financial crimes."

Employees, Especially Temps, Cause Breaches

2009-08-26T07:54:00.000-07:00

The majority of data breaches result from inadvertent employee error, say experts. BBC News reports on the results of a study that found unintentional data loss to be the most frequent cause of cyber breaches (14.4 percent per year). IDC and the security firm RSA analyzed 11 categories of risk at 400 organizations in various industry sectors across the U.S., UK, France and Germany. Of the employee-caused breaches, they found 52 percent to be accidental and 19 percent deliberate. Temporary employees, the study found, are more likely to be culpable. "It's likely contractors may be less well-trained in organizational policy..." said RSA's Chris Young.
Read the full story here Full Story

This survey, one of dozens within the past two years, illustrates my point about employee training as perhaps the most critical aspect of any good breach plan. That 52% of accidental breaches can be greatly diminished by showing employees what is expected of them and seeking their help in improving data security throughout the enterprise. A clear written policy that not only delineates the information that is to be protected, but also provides guidelines for staff and names those who are administering the program is essential in our modern business world. As long as personal identifiable information has value it will be used and sold by illegal profiteers around the world.

HHS Issues a Breach Notification Rule

2009-08-21T10:12:00.000-07:00

The Department of Health and Human Services (HHS) published its rule on mandatory breach notification requirements, reports Government Health IT. The rule applies to all entities covered by the Health Insurance Portability and Accountability Act (HIPAA). The notification requirement stems from a Congressional mandate in the American Recovery and Reinvestment Act, (ARRA). "These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information," said Robinsue Frohboese of the HHS Office for Civil Rights. Earlier this week, the FTC issued its rule on mandatory breach notification requirements for personal health records vendors.
For more on that rule here.

Attention All Keepers of Personal Data!

2009-08-20T09:23:00.000-07:00

Do you own a business with employees?
Do you use personal information in sales transactions?
Do you keep personally identifiable information (PII), on your clients including students?
Do you share PII with any other business?
Does any other business have access to your PII database?

If you can answer yes to any of these questions ask yourself this. What are you doing to actively safeguard that information from loss or theft? Remember, it is your responsibility to protect that information from misuse or theft. No business (above) is exempt.

The federal government has issued guidelines for you to follow in order to be compliant with the standards set forth in several privacy laws.The Federal Trade Commission FTC , has oversight of all businesses apart from the banking and savings industries which have separate oversight. They have the authority to investigate breaches and to even prosecute those businesses whose security practices are lacking.

The answer to anyone who questions the need for securing this kind of information is very simple. There are roughly 9 to 10 million identity theft victims in the U.S. each year. The majority of those victims had their information compromised from a database and not from direct theft. When you and your business safeguards the information you keep on others you are protecting them. When someone else does the same they are protecting you. All of us leave a trail of data behind in the course of our lives. Every school we have ever attended, every home we have purchased, loan made, insurance claim, military service, in short everything we have ever done has left a record that needs to be protected from theft or misuse. Each one of us is a link in the chain of protection. When you and your business safeguards the information you keep on others you are protecting them. When someone else does the same they are protecting you.

Data Security Measures Deadline Extended

2009-08-18T09:56:00.000-07:00

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has amended its data security regulations. In a media release yesterday, the OCABR announced that the rules will facilitate a risk-based approach to data security, which is expected to help the small-business community, in particular. In creating written security programs, businesses will be able to take into account their size, industry type and identity-theft risk, among other characteristics. The OCABR also modified the regulations to make them technology neutral. The new effective date is March 1, 2010. A public hearing on the changes will take place Tuesday, September 22.

The government has long been under pressure to create a federal standard for data security. Existing laws such as the FCRA and GLB Safety Act have set out guidelines for businesses that include risk analysis, written policy definitions, and employee training. However, apart from the Red Flags Rules [sec.114 FACTA] to date nothing definitive has been issued that delineates specifically what each business must do and what criteria they must follow to safeguard PII. This new Mass. law promises to provide much of that language to guide businesses in that State. It is my belief that when enacted this new legislation will become a model for similar federal legislation.

Companies Take Heed

2009-08-06T09:27:00.001-07:00

Corporate Ethics Must Change, Says Matwyshyn. A Wharton School professor says that corporations will have to adapt to increasing consumer savvy when it comes to the role of information security in business dealings, reports Forbes. At Defcon last week, privacy expert and Wharton professor of legal studies and business ethics Andrea Matwyshyn said: "Companies need to be aware that their customers are going to start asking questions about their security and what they're doing." Matwyshyn studies corporate law and information technology. She says even though they are not required to disclose their security procedures to consumers, big businesses should inform customers about their security practices and threats, adding that if corporate ethics don't change, legislators might step in.

While it is true that businesses are not required to disclose security procedures and methods, the public still has the last say in this. When you go to work for a company, enter into an agreement or contract with another business, invest in or simply do business with them you have the right to expect that they are handling your personal information in a responsible manner. And you have the right to NOT get involved with a business that does not take this seriously. If covered by the Red Flags Rule you can ask to see their identity theft prevention and response policy. I have been to bank branches for speaking engagements since Nov 1st of '08 where the branch manager had no idea of the banks policy nor what the policy document looked like. Banks were to be in compliance prior to November 1st of '08. The bottom line is this. If you are one of the people who are waiting for the government to fix the problem you are not going to get any satisfaction. We are empowered to make businesses take the responsible route when it comes to data security. We live in a society where lawyers throw cases of client files in dumpsters, and personnel departments email sensitive personal info to one another without any sort of encryption or protection, and employees that lose laptops and thumb drives containing unencrypted NPI on a regular basis. These are just a few of the "mistakes" companies make daily, and do not include the intentional acts of theft of paper files, flash drives, and CD ROMS by underpaid, laid-off or disgruntled employees needing extra cash.

If a business does not address this issue head on by training and honestly assessing internal risk they are playing with fire. There is no limit in company size either. EVERY business regardless of size must take heed. This is a real issue with real consequences and businesses are the prime source of data.

Government Employees' Names, SSNs Exposed

2009-08-04T10:51:00.000-07:00

HELLO!?

U.S. Commerce Department employees have been notified that their sensitive personal information was exposed last month, reports the Washington Post. The names and Social Security numbers of 27,000 were on an Excel spreadsheet that a National Finance Center employee sent to a co-worker via unencrypted e-mail, the report states. The department is making arrangements to track for identity theft resulting from the breach and is urging employees to monitor their credit reports.

I repeat, your information is out there and used, or misused each and every day of the week.
No one can prevent accidents or mistakes from happening, just as you cannot prevent intentional acts of data theft. If you have a comprehensive ID theft early warning and restoration service working for you, you can be assured that no matter how your personal information gets in the hands of the wrong people that they cannot ruin your life. The damage is very limited and correctable.

Network Solutions Begins a Damage Control Effort

2009-07-30T10:40:00.000-07:00

If anyone still has reservations as to whether or not to have some sort of identity theft mitigation service one only needs to consider the following.

Following disclosure of a data breach that may have compromised the credit card data of more than 573,000 patrons of small commercial Web sites, Internet domain administer and host Network Solutions has initiated a crisis response effort. Reaching out to its clients affected by the breach, Network Solutions has offered assistance in helping sites notify those customers whose credit card data may have been compromised, including offering credit monitoring services. Network Solutions spokesperson Susan Wade told DMNews, "Unfortunately, something like this could happen to any online business, so we're just letting our customers know that we're there for them, we will help them as much as we can, and we take this issue very seriously."

It is important to recognize that identity theft can and often does raise its ugly head in many different ways. Our information is out in the world and used by thousands of businesses and government agencies constantly. It doesn't take a statistician to see that the odds are that your information will be compromised, and likely many times. Why then would anyone want to gamble that they won't become the victim of the most difficult crime in history. Difficult you say? When identity theft strikes records are corrupted with false information. There is no one source to use to correct them and once corrupted the onus is on the victim to prove that they have been victimized. When the data says one thing how are you going to prove otherwise? Most victims spend years trying to correct their health or SSN files or DMV or insurance records, or any number of files that are used to shape who we are perceived to be in the official and public eye.

Having a service which will not only shortcut the crime but most importantly go to work for you to correct those records no matter how or when they have been corrupted by misuse of your personal data. It is also in the best interest of each and every employer to make such a service available to all of their employees. An employee distracted by this kind of problem cannot concentrate on work or maintain a healthy attitude for as long as they are dealing with an identity theft episode.

Red Flags Rule Enforcement Deadline Extended

2009-07-29T09:15:00.000-07:00

The Federal Trade Commission has again extended the enforcement deadline for the Red Flags Rule, according to an agency press release. Creditors and financial institutions now have until November 1, 2009 to come into compliance with the rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003. Meanwhile, the commission will redouble efforts to educate businesses affected by the rule on what they must do to comply. The Red Flags Rule requires entities to implement programs for identifying, detecting and responding to harbingers of identity theft, or "red flags."
Go to www.ftc.gov/redflagsrule for more information regarding your business.

Will the Third Try be a Charm for Federal Breach Notification Law?

2009-07-24T08:24:00.000-07:00

The following article was in today's privacy bulletin. Since the first state breach notification law went into effect in 2003 in California, 43 other states have enacted their own versions creating a worthwhile but patched together set of regulations that are at best vague, and contain huge lapses so that a company experiencing a breach can likely get away without any sort of notification to potential victims. Hopefully this legislation will contain enough bite to be effective. Only when we see transcripts of the bill will we know if we are headed in the right direction or for another legislative compromise. Thresholds for notification need to include not only electronic breaches and large scale hacks of computer servers, but also theft and misuse of paper records, and need to provide for smaller incidents. Only by creating effective notification laws can businesses be held accountable to the public who expect their information to be reasonably safe.

Vermont Senator Patrick Leahy (D) has reintroduced the Personal Data Privacy and Security Act, the third attempt by Congress to pass a federal data breach law that would pre-empt the 44 individual state data breach laws and create a single response and notification standard in the U.S. InternetNews reports that in a statement, Leahy said the bill addresses serious consumer privacy and data security issues and vowed that, "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as chairman of the Judiciary Committee."Full Story

Who Needs High Tech Information Security Measures?

2009-07-13T10:17:00.000-07:00

Whenever I see articles about the latest high tech "solution" for data loss I can't help but to think about the vast number of data breaches that result from situations such as the one below.
Just as there is no one form of data theft there is no one type of solution.

Medical records, including names, credit card numbers, Social Security numbers and cancelled checks were found in a dumpster behind a Salt Lake City shoe distribution center last week, reports KUTV News. At least some of about 20 boxes that Salt Lake City police confiscated appear to have come from a now-closed chiropractic office. KUTV reports that surveillance footage showing two people unloading materials into the dumpster exists. Disposing of medical records in this way is a violation of state law, according to the Utah Attorney General's office, and could lead to a $2,500 fine per patient record.
Full Story

Train your staff, train your staff, train your staff. This kind of an incident happens too often due to a lack of understanding of the law and simple common sense in protecting records from falling into the wrong hands.

Most ID theft that results from breaches of information at companies occurs when an employee walks out with the data with the intention of selling it, not to open credit card accounts. While the thief may be caught the data is long gone with other parties. Once the information is sold it can proliferate in a matter of days across the world.

A lack of understanding of the value of employee personal information as well as customer information has led to more identity theft incidents than any other cause.

What is a privacy policy, and what is an identity theft policy? What's the difference?

2009-07-10T09:47:00.000-07:00

Good morning all. I have been noticeably absent from my column duties while I took care of some other projects, and fitting in a short vacation.

Very often when I speak with business owners especially in the small to mid-sized organizations I find that a lot of them either confuse a company privacy policy with identity theft, or believe that an identity theft policy is an outgrowth of a privacy policy or statement.
In very general terms the two are not the same and in fact address two different issues. A privacy policy deals with either company intellectual property or customer information. Any business that collects customer information in the course of doing business must have a privacy policy that informs the customer as to how their information is used and protected, and encryption procedures for transactions. That falls largely under the direction of the Payment Card Initiative, PCI DSS rules to protect the public from fraud resulting from purchase transactions. Also, customers are protected by other state and federal laws suchas the FTC Act and FCRA that prohibit companies from distributing personal information without regard to personal privacy without first notifying the client of their intent. That issue is being hotly debated again due to the proliferation of social networking websites. Another area of privacy policy is the protection of company secrets, proprietary information regarding how a business operates and its plans and strategies. While the distribution and misuse of personally identifiable information (PII) is highly regulated by consumer law, protecting company secrets are internal policies. Businesses engaged in technological and scientific research and development often have non-disclosure agreements with employees to protect that kind of information. Employees who violate those agreements are subject to termination, and possible prosecution as a breach of contract.

Identity Theft policy addresses the area of PII data loss, a definition of what is considered by the company to be PII, the various forms the company uses to store and use PII, and finally the procedure a company has put into place to respond to breaches and to protect the individuals who might be affected and are at increased risk of identity theft resulting from a company breach. This policy must address not only the data it keeps on its clients but also of the employees personnel records, and also must address the identity theft policies of any contractor or service provider who might have access to that information. Vendors can include not only outsourced HR, payroll, insurance and Benefits brokers, but also cleaning services, construction contractors, and even parking services, any business that has the potential of obtaining PII.

It isn’t my intention to delineate what the law is or provide legal advice in these areas but instead to provoke thought on the part of businesses. With new legislation such as GLB, FACTA, and now the Red Flags Rule under FACTA, the banking regulators and the FTC have made it clear that in order to stem the tide of identity theft and the company data breaches that result in the majority of identity theft, business needs to take certain steps proactively to prevent breaches and to respond quickly and effectively when they do occur.
Every company is different and therefore needs to take the steps that are most effective for that organization. It all begins with an honest risk assessment on the part of each company to find the weak links in information security, and to train the staff on their responsibilities. Establishing a clear identity theft policy is the roadmap every responsible business uses to lay out everyone’s duties, and how the business will handle data breaches. The FTC auditors investigating companies who have experienced these breaches are most interested in seeing what a business did to protect the information before the breach. A proactive identity theft policy is good policy, and good business.

35 days until the enforcement phase of the Red Flags Rule, Are you ready?

2009-06-26T10:50:00.000-07:00

The deadline for non-banking entities to comply with the Fair Credit Reporting Act Red Flags Rule is August 1. Joel Winston and his colleagues at the Federal Trade Commission have spent the last several months helping businesses understand the requirements. Winston is associate director of the Division of Privacy and Identity Protection at the commission's Bureau of Consumer Protection. In this interview with GovInfoSecurity.com, he discusses the Red Flags Rule, the greatest information security risks for consumers, privacy implications of new technologies and his team's work to help prevent identity theft, among other topics.
Full Story

Privacy Blunders Foster a New Era of Accountability

2009-06-25T14:37:00.000-07:00

By Don Peppers and Martha Rogers, Ph.D.

The following was in my daily privacy download. It is hard to add any editorial comments as the article spells it out very well. So, without further ado here is today's thought on privacy.

In the early days of mandatory data breach disclosures, which in the U.S. began in 2005, notifications followed a now predictable pattern: Organizations issued a press release expressing contrition, mailed notification letters, strategically released details on the scale of the breach, and emphasized the strides they were taking to mend and prevent. What was perhaps most notable was what didn't happen: At the senior-executive level, no heads rolled. Overall, corporate accountability for lost data seemed slight, at best.
Lately, however, a number of episodes suggest that we may be entering a new culture of senior-level accountability--over privacy, abuses of "secrecy," and for the data-related misdeeds of subordinates. The events seem to suggest a broader cultural shift toward increased transparency and accountability for whoever's in charge, and a growing realization that when it comes to collecting data, "more is better" isn't always best. The privacy buck stops where? The misdeeds of subordinates in several organizations have recently led to the chief's ouster. Last month, discount supermarket chain Lidl sacked its head of German food operations, Frank-Michael Mros, after documents recovered from a dumpster showed that throughout 2008 and 2009, the company illegally collected confidential information on employees (noting such state-of-health information as "operated on for a tumor" and "wants to get pregnant"). In March, the head of Deutsche Bahn, Hartmut Mehdorn, resigned after revelations that the state-owned rail operator had spied on its employees. As part of an internal fraud investigation, managers accessed confidential information on hundreds of thousands of employees and illegally monitored employee e-mail.
That same month, a student journalist at Binghamton University found an unlocked storeroom containing boxes full of documents containing students' and parents' personal information, the third breach in less than a year. While the administration threatened to charge the reporter with trespassing, students circulated a petition to sack Terry Dylewski, the chief information security officer. Those calls were renewed after a fourth privacy breach in April. In December, the Ohio Department of Job and Family Services fired its Deputy Director of Child Support for authorizing database checks on a state resident for no legitimate purpose. Two other department employees associated with the checks also no longer work with the department due to their involvement in a breach of the records of Samuel J. Wurzelbacher, better known as "Joe the Plumber."
Swiss bank secrecy under fire Calls for accountability--and with it, transparency--are becoming the new norm, and the financial services industry is on the frontline, given the furor over bonuses for bailed-out bank executives, and President Obama's pledge to crack down on international tax havens. Not even Swiss banks, legendary for their secrecy, are immune. Last year, federal authorities charged several cross-border private banking executives at UBS, Switzerland's largest bank, with helping American citizens hide an estimated $20 billion in offshore accounts. That, plus the recent threat of indictment for all of the bank's executives, saw UBS, the largest bank in Switzerland, recently admit to defrauding the IRS. The bank agreed to pay a $780 million fine and release the names of American accountholders.
Parliament expenses scandal Perhaps the lesson is this: With notions of transparency and accountability on the rise, companies hide behind secrecy laws at their peril. In the UK, members of Parliament (MPs) learned that the hard way, after details of their expenses revealed that many had abused the system to pay for things not related to their duties as an MP, such as moat cleaning and tennis court repairs. The expenses, which the Labor majority in Parliament battled for five years to keep private, came to light after courts upheld a journalist's right to obtain the information under Britain's relatively new Freedom of Information Act. The irony of MPs who abused and hid their expenses--during a recession, no less--while pushing a national ID card, building a network of millions of CCTV cameras, and regularly losing large amounts of sensitive or classified data has brought British voters to the boiling point. The government and even forms of representational government are facing their biggest shakeup in more than 100 years, with citizens demanding further transparency and accountability, including proportional representation.
Life after "keep everything" Interestingly, resistance is also growing to the UK government's "collect and keep everything" approach to data. One recent study branded the country as a "database state," and estimated that 25 percent of all government databases contained illegal information and should be scrapped. Likewise, courts recently ruled that the UK police practice of photographing everyone who attends a demonstration violated people's liberty, and instructed police to cease such practices and purge all such images from their databases. The UK offers an insightful case study: If a society has gone to the brink of the "more is better" approach to collecting and retaining private data, while demanding little accountability from those in power, what happens next? In fact, the outgoing UK Information Commissioner Richard Thomas recently predicted that collecting less personal information will become the new norm, to better balance security and liberty when government agencies collect and share data to do everything from spotting child abuse to discovering potential terrorists. "If you're looking for a needle in a haystack, it does not make sense to make the haystack bigger," he said. Collect data, but collect it smarter, and retain only what you need? And know that your job is on the line if improper data gets collected, abused, or lost, or if people's rights get trampled? Those are words to live by in what is arguably our new culture of accountability.

45,000 Cornell University Records Exposed

2009-06-24T09:51:00.000-07:00

Retailer TJX will pay $9.75 million to settle charges related to its 2007 data breach that exposed the financial details of thousands of customers, reports consumeraffairs.com. It is the farthest-reaching data breach settlement to date.

As stunning a piece of news as that is I am even more saddened by the following news from Cornell University. After years of hammering the point, laws passed, all of the white papers, and articles written about personal data safety and enterprize liability, why are we still seeing this kind of news? EVERY entity that maintains personal data of ANY kind needs to take care of business. There are no excuses and no arguments to the contrary. Business owners, what more do you need? Cornell just offered to pay at least $1,125,000 for credit monitoring alone at the current going rate. That is a small fraction of what this breach will eventually cost the school.

Cornell University announced that police are investigating the theft of a school laptop containing the personal information--including Social Security numbers--of approximately 45,000 students, alumni, faculty and staff. The Associated Press reports that the laptop was stolen from a Cornell technician and there are, so far, no known misuses of the data. The university sent a letter to those individuals whose records were on the computer, offering a free year of credit services. It has also set up an FAQ page on the Cornell Web site. Full Story

Five Point HITECH Prep Plan

2009-06-18T10:47:00.000-07:00

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) compliance deadline is September 18, 2009. The law sets new health privacy requirements, including a breach notification mandate and a broader definition of "personal health information" (PHI). In an article for CSO, ID Experts Chief Security Officer Rick Kam outlines steps organizations can take toward compliance. Among them, Kam recommends: conducting a risk-based assessment; securing PHI; and planning for breach detection and response, among others. "[The Act] will likely affect every aspect of your operations...," Kam writes. "With increasing risks, a better understanding of the compliance process will benefit your patients, your employees and your business." Full Story

FTC Issues Consent Order Against Nutter & Co.

2009-06-17T11:19:00.000-07:00

The Federal Trade Commission (FTC) yesterday issued a consent order against James B. Nutter & Company for violations of the Gramm-Leach-Bliley Act privacy and safeguards rules. The commission found that the mortgage lender failed to: maintain a written information security program; adequately protect information stored on its network; institute appropriate security measures for personal information on its network; and provide adequate privacy notices, among other violations. The notice sets out actions the company must take as a result, including an order requiring biennial third-party assessments for the next 10 years. Privacy expert Rebecca Herold, CIPP, says: "This case demonstrates the long-term consequences of not implementing a strong information security program."Full Story

Now as we prepare to enter the enforcement phase of Red Flags Rule compliance it is important to note that enforcement of GLB and other privacy-based laws is ongoing. GLB has very similar recommendations as FACTA regarding compliance.

The adoption of an identity theft response and prevention plan specific to the business
The training of all employees on the specific plan
The oversight of the policies of all contractor businesses and 3rd parties that might have access to NPI.
A full documentation of the above
Optionally offering a mitigating identity theft service to all employees for their individual protection.

All of the above combined with other procedures specific to each business comprise a proactive response to the threat of data breaches. That is precisely what the FTC is asking every business to do, establish a proactive program to mitigate the risk of breach and train all employees on their roles to protect the data. If you include in the training a general awareness of identity theft as it affects the individual you create the "culture of security" that is essential in todays' world.

The guidelines set out in GLB and again in FACTA affect almost virtually every business in America either directly as a requirement, or as a service provider for a business that is directly covered. The regulations under a new HIPAA (HITECH), initiative along with new states and federal breach reporting laws will soon make it mandatory for virtually all businesses to adopt such a plan.

While August 1st is set as the enforcement phase date for the Red Flags Rule now is the time for businesses, non-profits, municipalities, school districts, etc, to put such plans in place and get the staff up to speed. In the programs I help my clients initiate, the staff training meeting lasts from 45 minutes to an hour to complete. That along with a short meeting with management and the framework can be in place. It can be much simpler to accomplish than it seems at first.

Medical Problems Could Include Identity Theft

2009-06-15T10:56:00.000-07:00

By WALECIA KONRAD New York Times June 12, 2009

Everyone needs to pay attention to this. When you are shopping for an identity theft service ask yourself if the one you are considering will absolutely protect you or restore you from this nightmare.

Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston, has never had any real health problems and, luckily, he has never stepped foot in an emergency room. So imagine his surprise a few years ago when he learned he owed thousands of dollars worth of emergency-service medical bills.
Mr. Sharp, as it turned out, was a victim of a fast-growing crime known as medical identity theft.
At the time, Mr. Sharp was about to get married and buy his first home. Before applying for a mortgage he requested a copy of his credit report. That is when he found he had several collection notices under his name for emergency room visits throughout the country.
“There was even a $19,000 bill for a Life Flight air ambulance service in some remote location I’d never heard of,” said Mr. Sharp, who made this unhappy discovery in 2003. “I had emergency room bills from places like Bowling Green, Kan., where I’ve never even visited. I’m still cleaning up the mess.”
The last time federal data on the crime was collected, for a 2007 report, more than 250,000 Americans a year were victims of medical identity theft. That number has almost certainly increased since then, because of the increased use of electronic medical records systems built without extensive safeguards, said Pam Dixon, executive director of the nonprofit World Privacy Forum and author of a report on medical identity theft.
And uncountable, Ms. Dixon said, are the people who do not yet know they are victims. They may not know that their medical information has been tampered with for months or even years until, as in Mr. Sharp’s case, it shows up in collections on a credit report.
Medical identity theft takes many guises. In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.
In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.
Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.
In a widely reported case in 2006, a clerk at a Cleveland Clinic branch office in Weston, Fla., downloaded the records of more than 1,100 Medicare patients and gave the information to her cousin, who in turn, made $2.8 million in bogus claims.
When people are not aware their medical identities have been stolen, insurance companies may simply continue to pay the fraudulent claims without the victim’s knowledge. The person might learn of the fraud only when trying to make a legitimate claim, and the insurance company informs them they have reached their lifetime cap on benefits.
Or victims may eventually discover erroneous information in their medical files during a doctor or hospital visit. And that may pose a bigger danger than the financial risks. The medical records may now contain vital information like blood type, allergies, prescription drug use or a history of disease that is just plain wrong. In an emergency, doctors could treat you based on this erroneous information.

And there are none of the consumer protections for medical identity theft victims that exist for traditional identity theft. Under the Fair Credit Reporting Act you can get a free copy of your credit report each year, put a fraud alert on your account and get erroneous charges deleted from your record. If your credit card is stolen and the thief goes on a spending spree, you’re not liable for more than $50 worth of the charges. 1

With medical identity theft, though, the fraudulent charges can remain unpaid and unresolved for years, permanently damaging your credit rating. Under the federal law known as Hipaa — the Health Insurance Portability and Accountability Act — you are entitled to a copy of your medical records, but you may have to pay a hefty fee for them.
Worse, Hipaa privacy rules can actually work against you. Once your medical information is intermingled with someone else’s, you may have trouble accessing your files. Privacy laws dictate that the thief’s medical information now contained in your records must be kept confidential, too.
Even when you are able to correct a record, say in your doctor’s office, the erroneous information may have been passed on to dozens of other health care providers and insurers. Victims must track down and resolve these errors largely on a case-by-case basis, Ms. Dixon says.
Medical providers contend that they are taking precautions against identity theft. At Cleveland Clinic, for example, security personnel routinely audit electronic medical record systems and all records are password-protected. Many Blue Cross Blue Shield insurers use software to screen for spikes in claims from providers that look suspicious. They also work with providers on encrypting medical files and carrying out data access restrictions, said Calvin Sneed, senior antifraud consultant at the Blue Cross and Blue Shield Association.
And some medical centers and doctors’ offices now require patients to show photo ID and attach photos to patient charts.
But privacy advocates worry that these steps do not go nearly far enough, especially in light of President Obama’s plans to spend $20 billion to increase the use of electronic medical records nationwide as part of the stimulus package. “Without aggressive safeguards, we could be building an infrastructure for massive medical fraud,” said Ms. Dixon.

If you find yourself a victim of this kind of fraud you are not likely going to be as concerned about new privacy laws as you will about getting help for your situation. Nearly every states Attorney General has gone on record regarding identity theft. With millions of cases each year, and with the amount of investigative work each one requires, the states AG offices cannot give each case the attention it requires. We all need to find ways to safeguard ourselves. A good identity theft service is by far the most efficient way to do that. A restorative service will handle the brunt of the work of sorting out records and establishing a clear record of the crimes that were committed. And finally to go about the process of clearing false records entries.

1 Actually that is not completely true. If you report debit card fraud within 72 hours or within 30 days of a regular bank statement being mailed to you your liability is limited. Banks do not have to recover your losses after those times expire. ed.

Don't Worry, I Can Do It Myself!

2009-06-12T09:00:00.000-07:00

Back in 1957 our car was involved in a seemingly small accident. Another car had hit ours when my father was driving to work. They exchanged information like home telephone number and address, but as auto insurance was optional neither driver had a policy. No police report was filed because, well, it wasn’t required in 1957.
A day later dad noticed a strange whirring sound coming from under the car.
Being too proud to take the car in to the garage dad decided to fix it himself. Perhaps a little too much egoism was at work there. Dad tore into the drive train, removing this, and then that until the ground under the car was littered with parts. Dad wasn’t a mechanic. In fact he had a reputation for being essentially inept when it came to the mechanical. He was a good architect. He could design complex systems for big buildings but could not change a light bulb without a struggle.

When he managed to put all the parts back on the car the problem was worse. In fact I think he created a couple of new problems trying to fix the first one. Not to be out foxed by a mere car dad kept at it until nothing worked. When my mother suggested that we call the garage to come and get the car dad got a little irritated. His bruised ego took over. “Don’t worry, I can do it myself.” Fatal words. That little incident caused us a very expensive repair, and because of my dads’ refusal to have a simple auto insurance policy we were left without a car for weeks until my mother decided it was time to get one of her own so we wouldn’t get stranded like that again. Come to think of it that car never did run right after that. Dads’ reasoning, like a lot of car owners at the time was that anything that an insurance company could do he could do himself, and better.

It was common for people to have that attitude in 1957. They suspected the insurance companies of scheming to take the public’ money and doing little for the car owner in return. That kind of thinking triggered a whole new area of lawsuits. With more cars on the road than ever before claims of personal liability flew into every courtroom in America. People were suing each other in a frenzy that threatened to grind the court system to a halt. Enter the age of auto insurance. The system that evolved is one of traffic laws that make liability clear in every claim. Whether or not we agree with all of it, the laws are clear.

Today we have liability insurance as matter of fact for every driver. When claims are filed the system is in place to effect repairs for damaged cars. The relative nightmare our family went through over a simple repair would have never happened had my father and the other driver taken out insurance policies. Auto insurance is a self-evident concept today.

In this era of identity theft I hear the same hubris. “Don’t worry it won’t happen to me, and if it does I can fix it myself.” Tell that to the millions of individuals who have suffered from the fallout of identity theft. You will find a different response from them. They know the advantage of a good identity theft service. My identity theft experience has lasted (so far) 8 years, and I still have issues. If I had an identity theft service before my incident I probably would have cleared it up in weeks or a couple of months at the worst and not had to expend over $26,000 in the process.

Identity theft services did not exist then but they do now. There is no excuse for anyone to not have an identity theft service. But which one to get? That decision was just made a lot easier. Federal courts recently ruled that identity theft services that set fraud alerts with the credit bureaus for a fee are in violation of the FCRA. That is one thing we can do for ourselves. This eliminates most of the companies right there. Find a service that will repair your identity after an incident, using real agents licensed to do that kind of work. Don’t do like my dad and attempt to fix it yourself. With more cases of identity theft every day the system is overwhelmed. You cannot do it without a protracted and painful bureaucratic process and a great expense in both time and money. And it may likely never be done. It is restoration you need to have. Anyone can tell you that you are a victim. You want and need repair after the fact.

A Failure to Adequately Protect......

2009-06-10T13:31:00.000-07:00

Now that we have returned from a well earned albeit too short vacation it's time to get back to business.

Class actions are beginning to crank up in the area of data breach. Not being able to show penury damages from specific cases of identity theft, the victims of data breaches are increasingly turning to class actions based at least in part on the failure of a data aggregator to protect the information they keep.

A class-action suit has been filed against health insurer Aetna for alleged data protection and privacy failures, reports Hartford Business. The company announced last month that hackers had gained access to its job application site, potentially exposing the Social Security numbers of 65,000 current and former employees. Plaintiffs are seeking credit monitoring, punitive damages, costs and other relief, according to the report. The complaint filed last week in a Pennsylvania District Court states: "Aetna unlawfully failed to maintain reasonable systems and procedures to protect [plaintiffs'] information."Full Story

What are the reasonable actions a company could take that might prevent these kinds of court actions? That varies from case to case and company to company, but will likely include the preventive steps required under FACTA, GLB, and states laws that specifically address identity theft. Whether it is 5 records that have been compromized or the 65,000 mentioned above, the liability is the same. A "Failure to adequately protect records" lawsuit should not be considered the cost of doing business like the petty theft of office supplies. The cost to the business cannot be calculated in terms of simple legal fees.
A business that takes the preventive steps on its' own before any data loss incidents can greatly reduce the liklihood of a class action from being initiated.

A Little Break

2009-06-03T08:37:00.000-07:00

Dear friends,

As much as I love to write this column I'm going to take a few days off for myself and relax. I will see you all in a week. Until then, think security.

John

Identity Theft Services, get one!

2009-06-02T08:45:00.000-07:00

Although this column is intended mostly for business owners, HR and C level security folks, I occasionally focus on identity theft services. There are a few reasons for that. First, in the spirit of full disclosure, I proudly represent what I honestly believe is the very best service available anywhere.

While there are states and federal laws and guidelines intended for businesses regarding information safety, there is also the relentless wave of information theft resulting in identity theft that goes unabated. Each incident of data loss that is reported to the FTC and law enforcement results in a better understanding of the circumstances that create the opportunity for loss or theft. The laws are increasingly focused on some of the root causes as the data improves. That is partially why we now have a refocus on HIPAA and the challenges medical information protection creates. The new Red Flags Rule has established at least 26 specific activities that indicate possible identity theft and is aimed at virtually every business sector for compliance. Both of these laws are mandatory for the affected businesses and agencies, and if applied effectively should greatly reduce the incidents of data theft and misuse plaguing American business.

At the same time as reported by the Identity Theft Resource Center (ITRC) recently there is no let up in reported cases of identity theft. Reporting is indeed improved which means that we are probably seeing more accurate data but it is undeniable that identity theft is still on the rise.

What does that mean to us as both business people and individuals? I’ve often used the phrase “An armed society is a polite society” jokingly, but there is an element of truth to that. Let’s be clear, I’m not advocating using firearms to fight identity theft! What I am saying however is that for as long as identity theft is an issue, and there is no indication that it will go away soon, we should approach it on both fronts. Both by applying the steps in the laws to our businesses, and by covering our own personal risks as best we can.

That brings us to identity theft protection products. I was talking with a friend recently about auto insurance rates. We both pay more than we would like to pay but agree that when we need to file a claim we are glad its there. So the cost of the insurance is easy to justify to protect the investment we have in our cars. What price are we willing to pay to safeguard our identities? Identity theft is a real problem that affects all of us and is here to stay. What would we be willing to pay to protect ourselves from being falsely arrested as a victim of identity theft? How about having our medical information usurped by thieves, used, and possibly altered innocently by medical records keepers? Bank account takeovers, new lives being established by illegal aliens using our SSN and personal information? Each one of these circumstances when they occur create a permanantly skewed picture of who we are to the world at large. What would we want an identity theft service company to do for us realistically? It needs to be clearly understood that there are no current means to stop identity theft. However, by being smart we can reduce our exposure and risk. The focus needs to be not what the service will do to stop ID theft but what they do to provide an early warning system and safeguard us from the fallout. It often takes months and sometime years to clear up just one incident of identity theft when we act on our own behalf. Victims face a bureaucracy of regulations and red tape when it comes to correcting records and databases. I think that is where the focus needs to be when choosing an identity theft service. It is necessary to have a service with a proven track record of working with federal, state, and private agencies to wade through the complexities, work to correct records and represent the victim by building the appropriate files and history. Once identity theft happens it is statistically more likely to reoccur. Establishing a victims’ identity theft history is just as crucial as the initial restoration itself.

Be smart, protect your business and the employees, but do not count yourself out of the picture. Identity theft has no boundaries and can happen to anyone at any time. Be smart and be prepared. A good service is a very small price to pay to avoid the emotional and financial fallout from identity theft. I don’t know how many auto claims are filed each year but I do know that there are somewhere between 8 and 10 million identity theft victims each year in the U.S.

For more information on the Identity Theft Shield I represent look at the My Business Website link in this column.

Want to Lower Your FICO?

2009-05-29T09:43:00.001-07:00

Along the lines of yesterday's post I want to point out that when you (or anyone acting on your behalf), issues a fraud alert in your name with the credit bureaus you stand a good chance of lowering your score. By issuing such an alert you are saying that you believe you are at increased risk to identity theft. That consideration alone can lower your score as you are seen as a credit risk. Additionally, issuing a fraud alert also infers that as well as being a potential victim you might be a potential thief. Identity thieves have been known to issue alerts in the name of their victims in order to obfuscate the crime. They use it as a smokescreen to continue to use the stolen identification. The bureaus initially have no way of knowing which is the case.
Fraud alerts should be limited to the uses intended by the law, to provide an individual with a proactive tool to use in the event of identity theft. Any action taken with the credit bureaus can have an adverse effect on your scoring, just as an inquiry or late payment statement does.

Another tool we should never forget is http://www.annualcreditreport.com/ . You have the right to see each of your 3 national credit reports on an annual basis. This will not affect your score. Stagger them in order to have a fresh report every four months.

Fraud Alert Services are Illegal

2009-05-28T09:44:00.000-07:00

A federal judge last week decided that LifeLock's fraud monitoring practices violate California law, reports Wired. The identity-theft protection company was sued last year by one of the nation's three credit reporting bureaus for violating California's Unfair Competition Law. For a fee, LifeLock places fraud alerts on consumers' credit reports on their behalf. U.S. District Judge Andrew Guilford determined that the lawmakers writing the 2003 Fair and Accurate Credit Transactions Act (FACTA), which gave consumers the right to place free fraud alerts on their credit reports, did not intend for "companies and entities such as credit repair clinics," to be able to place the alerts. Full Story

I have been making this point now for several years. Fraud alert services are bogus attempts to get into a growing "industry". An industry in the most rare definition of the word that produces precious little but declares quite a lot. They simply took advantage of the rights we have under the FCRA, culled out one paragraph from that act and opened shop. This paragraph proposes that any entity that issues credit accounts must contact the individual or his/her designate prior to opening a new account if a fraud alert has been placed with the credit bureaus. The fact of the matter is that most creditors do not follow that practice. Add to that the irrefutable fact that credit related identity theft is less than 1/3rd of all identity theft and you are left with a highly ineffective service that in my opinion gives the public a false impression of identity theft and a false sense of confidence in the product to protect them. This is not about Experian nor any other entity this is about the truth. These companies will cook any statistic they can to assert their claims that they have effective services when in most professionals' opinion they offer little to no advantage for the client that the client cannot do for themselves at no cost.

Look at any other field such as law enforcement, medicine, engineering, and so on. Who are the people that own or manage the organizations? Are they marketing people or venture capitalists? No, they are professionals with experience in their field. When we began our Identity Theft Shield in 2003 those of us who were already seasoned fraud risk and privacy rights experts predicted that as the crime grew that opportunists would come along and try to take advantage of the increase in identity theft. And we also knew that they would be shaken out if their services did not offer true assistance and expertise.

The Internet is full of comparisons between the various services. You will almost always note one glaring exception, the Identity Theft Shield from Pre-Paid Legal and Kroll Fraud Solutions. There is only one reason for this omission, well two reasons. First we don't pay for comparisons, and secondly and most importantly, you cannot compare a professional service to these others that do either nothing to very little on behalf of the client but charge handsomely for the product. All of the above is of course my considered opinion.

As one very well respected identity theft expert once put it to me. "It's hard being right......early."

The Spector of Identity Theft at the Heart of the Matter

2009-05-27T09:51:00.000-07:00

I didn't have time to comment on this but it was in todays privacy mail.

A Washington couple whose nephew spent a year cleaning up after his identity was stolen has "become very fussy" about protecting their privacy, reports the Yakima Herald. So when Aram and Marjorie Langhans noticed Aram's Social Security number (SSN) on a printout at the Yakima Heart Center recently, they requested its removal from the center's files. The center refused and denied treatment without the SSN. A center administrator said they collect patients' SSNs to help verify identity. But the Washington Attorney General's (AG) office said the Langhans were right to protect Aram's SSN. SSNs "have been compromised by employees in the healthcare sector...," said an AG spokesperson. "Anything a company can do to reduce access, we strongly encourage." Full Story

New Data Initiatives Converge For Information Protection

2009-05-21T14:21:00.000-07:00

Alert!

Health Information Technology for Economic and Clinical Health Act (HITEC) points to some substantial changes in the rules relating to the minimum necessary disclosures of personal health information, imposes additional notice requirements in the case of security breaches and grants new enforcement powers to the states.
The Health and Human Services Department, which enforces HIPAA security and privacy laws, recently released guidance on what counts as “unsecured” information and a request for comments on breach notification under HITECH.
For employers whose health plans must comply with HIPAA privacy and security rules, HITECH means they will have to review and update contracts with business associates to ensure that the documents reflect the new privacy and security laws.
The changes introduced by HITECH will have enormous consequences for third-party vendors, such as benefits brokers and consultants, that act as business partners for self-funded group health plans and large, experience-rated insured plans.
Such vendors will need to take steps to conform to the substance of the HIPAA security standards. Compliance will, at a minimum, entail the adoption of physical, administrative and technical safeguards. This will include implementing security polices and procedures.
In the case of business associates, HITECH makes the following changes:

• Business associates are now subject to the substantive provisions of the HIPAA security rules generally in the same manner and to the same extent as covered entities;
• Business associates must now enter into and abide by a business associate agreement (previously, the burden was on the covered entity to identify business associates and to obtain the necessary business associate agreements);
• Business associates are now subject to civil and criminal penalties for violation of these rules; and
• HHS is required to conduct periodic compliance audits of business associates as well as covered entities.

Remember, the Red Flags Rule ammendment to FACTA also calls for changes in the contracts with service providers and third party vendors. Under law the changes must include an understanding of that vendors’ policy concerning information security and identity theft prevention. A lot of companies are not used to this kind of oversight, and might not understand their responsibility regarding sensitive information policy.

On August 1 of 2009 the FTC will begin the enforcement phase of the Red Flegs Rule meaning that since the law went into effect on January 1st of 2008, different industry sectors have been on notice to implement a program to address identity theft and how to respond in the event of a breach of information. Now enforcement in the form of audits and possible fines and prosecution will begin for businesses who have ignored or skirted the law as it applies to them. For more information on the Red Flags Rule see the link in my column to the Red Flags Rule.

When a medical facility, Human Resources contractor, or benefits broker applies the newest rules of HITEC with regard to medical information security they will not be precluded from adherence to FACTA as well. HIPAA and its initiatives only address the security of medical data not other types of personally identifiable information such as employee files or financial information. A recent case in January of this year involving the theft of 30,000 personnel files from the Kaiser Medical facilities in Oakland California points out graphically that compliance with one law doesn’t necessarily cover the business regarding the other, even though both laws address information security. Compliance for both inititiaves do have common ground however. A written policy is essential as a starting point to establish the culture of security from the Board down. Training, as I mention here as often as I can is next. I can’t over emphsize the importance of onging training of all staff. Contractor oversight is another common point. Without that the system cannot work effectively. It isn’t as important for one company to adhere to a good security program as it is for all the companies that share the information to do so.

It has also come to my attention that enforcement of the HITEC initiatives will be transferred to the FTC, and not be enforced by HSS as previously thought. Although oversight will remain with HSS, the FTC has a track record of enforcement of consumer protection regulations.

No State Secrets Lost This Time, Just (maybe) Yours!

2009-05-20T14:34:00.000-07:00

The FBI is investigating the loss of a computer hard drive from the National Archives record center, reports the New York Times. The drive contains a terabyte of data, including the personal information of individuals affiliated with the Clinton presidency. A National Archives statement said the drive houses "an as-yet unknown amount of personally identifiable information of White House staff and visitors." Social Security numbers, home addresses and security procedures, but no classified information, are believed to be on the drive. Authorities confirmed the breach in April. Analysts are still reviewing the drive's content.

No system or method of safekeeping of yours and my information will ever be completly fraud proof, nor will your information, which resides in everything from your elementary school records, your dentists' office, military records, to your County recorders' office, so on and so on, be safe from thieves. The opportunity for theft is too vast, and methods of theft too varied for any combinations of methodology to be effective.

This column is maintained to provide some insight for businesses and other enterprizes which maintain personal information. The fact of the matter is that unless we as individuals engage our own identity theft service we are at the mercy of data thieves and imperfect systems everywhere.

A Matter of Value

2009-05-19T10:14:00.000-07:00

I would like to step back from identity theft for a moment. The main business of Taylor and Associates is to offer certain benefits to employees in all types and sizes of organizations. The company that I represent, Pre-Paid Legal Services Inc is the only underwriter of legal services plans and identity theft restoration services in America. We are growing in public acceptance precisely because of the immediate and practical value our clients receive from the benefit. That is the topic of this column, value.
The services we represent are divided into seven separate areas of coverage. In 2008 our law firms were able to save or recover for our clients $21.9 million within just one benefit area alone! Unlike EAP programs which have limited legal services built in, our services are comprehensive and are not so severely limited. In fact the popularity of EAP programs is based partly on the demonstrated need for legal services. The majority of the legal needs of a family are completely covered by the membership without spending additional money. When you combine our legal plans with our identity theft program administered by Kroll Fraud Solutions for us, the employee has unparalleled coverage for the two biggest problems Americans face, access to quality private law firms for any and all legal needs, and full protection and restoration from any type of identity theft. According to the U.S. Secret Service identity theft has surpassed the international drug trade as the most profitable crime in the world. The legal plans were designed to address the areas that families encounter the most. Things like traffic court representation to keep auto insurance costs under control, or contract review when refinancing or making purchases, to consumer issues and product liability, estate planning, IRS audit help, and more. As a victim of massive identity theft in 2000 I was first advised to retain counsel. Because I didn't have the services of Pre-Paid at the time that became a $26,000 dollar episode for me. Remember, an identity theft episode is a legal situation.

When we work with employee groups the very first thing we do is to hold a Will Workshop with all of our new clients to get them started on a will along with the advance medical directive and durable POA, for each of them and their partners. I want them to receive a benefit the very first day they have our membership. I encourage them to use their services as often as possible simply because it can be a value benefit but only if they take advantage of what it can do for them. In this current economic crisis our attorney firms are making a real difference for people who are in danger of losing their homes to foreclosure, and along the Gulf Coast thousands of families have been helped in the aftermath of the devastating hurricanes. All of the law firms in our proprietary network also have privacy specialists on staff to directly handle identity theft issues. This fact has not been lost on the fifty sitting Attorneys General who have recognized us as a force for equal justice in America. The cost of these services is far less than a dollar a day for everything combined, and as we want to earn the business of each client monthly we never engage in long-term contracts.

After 37 years of continued growth Pre-Paid Legal Services is the pioneer and leader in this industry. Our position on the NYSE shows continuous growth in a volatile market. At Taylor and Associates we take great pride in delivering more value to our clients throughout the country than we receive in money from them. A benefit that people can use is a valued benefit.

I've spoken about the value we bring to employers in the past, but it does bear repeating that by offering the services of trained identity theft risk specialists and the compliance documentation we provide, there is an additional value to the company. Whether legal issues or identity theft, or both, the value to the employee cannot be calculated in simple dollar savings alone but also in terms of a peace of mind that family issues are being handled by professionals with the clients' best interest in mind. The value to the employer besides what I just mentioned is in the ongoing training and assistance we provide to help with an identity theft program as required by law for most employers. No other firm has all three components in place, identity theft protection services for the employee, comprehensive legal service plans for employees, and a program for the company to reduce its' risk from data breach and the fallout from identity theft episodes. All in all the value of the combination of these programs has a proven 37 year track record with over 35,000 employers in every type of business, local government, and non-profit. Value is at the core of how the plans are devised. Pre-Paid Legal Services has ammassed what I believe is the largest database of actuarial data in existence to bear this out.

A Culture of Security

2009-05-12T14:04:00.000-07:00

I read a lot of technical papers and discussions on methodology of data security, and the philosophy of a security minded culture. A lot of very intelligent people are diligently looking for better and more efficient ways to move data around an enterprise and still maintain a modicum of security. Data is after all the engine that runs modern business. Whether it is described as proprietary information (IP), or developmental operating infrastructure, or a software product, our service-based society is run on data. This intellectual property stuff if compromised, can mean ruining a companies’ ability to maintain a competitive position.

There is even an industry whose whole purpose is to aggregate, sort, re-sort, and sell data. See axciom , choicepoint. or MIB for good examples of that sort of company. These “specialty database” companies have the additional burden of compiling the personally identifiable information of people who are not their clients but instead comprise the very commodity that the business trades in, data.

In my previous career in engineering we were always developing techniques, specialized machines, or circuit designs that would help not only to propel our industry but also to attract customers to our business in particular. Innovation is essential to any industry. Maintaining the security or even secrecy of those innovations is paramount. In order to do that everyone involved must be clear on the concept. Unfortunately when I talk to people in the IT or IS fields protecting trade secrets is usually the kind of data protection that comes to mind. Now and again I meet IT pros, especially in accounting, financial advisory or mortgage firms, who are aware of the importance of protecting the clients personal files. Technical managers are by in large vaguely aware that personnel information is also at stake but that concept is usually rather abstract to them. They are more focused on the throughput of data, encryption algorithms, and the models that contain sufficient justified loops that will safeguard company data files from inadvertent loss or hacked from outside source, while being highly efficient and serving the enterprise more effectively. When I illustrate a case of an unhappy employee that has walked out of the building with the HR employee records on a flash drive to sell it at the local flea market, eyes will glaze over. That doesn’t compute in a technically focused infrastructure. Short of freezing everyone out of the records access there is no working model that will prevent that from occurring. And that is the point. Information that has value, to anyone, can and will be stolen and misused for personal gain. The solutions cannot be simply technical, but instead have to include employee training and awareness. That is why the recommendations within every federal identity theft prevention law include employee training.

It is also critical that companies understand that just as a loss of intellectual property can cripple a company so can the loss of personal information. In fact the loss of personal information has far reaching consequences that extend beyond the incident, and into the realm of public perception. When a company loses the confidence of the general public whether deserved or not, it becomes harder to maintain customers, attract new ones, operating capital is harder to get, and so forth. People believe that when a business is entrusted with their personal information that the company has a moral responsibility as well as a legal one to make every effort to protect it from thieves or accidental leaks.

Its just as important to trust certain employees as it is to have technical safeguards in place. Any culture of security has to have a balance of common sense, technical procedures, and individual education and training. Treat your employees with respect by educating them on the realities of what identity theft can do to a person. With an average of 10 million U.S. victims annually there is no shortage of real life stories of individual ruin from identity theft. If a business can manage to do that kind of training alone then the employees gain a knowledge to not only protect themselves and their families but also an insight and incentive to safeguard the personal information they handle on a daily basis at work. A business must sensibly bring the employees into the solution for data loss by training and education. An informed and empowered employee can very well be the best asset a company can have in stemming the tide of data losses of any kind within the enterprise. I’m sure your employees know what to do in the event of fire, but do they know what to do if they discover that information has been stolen or compromised? That critical path alone can make the difference in whether an attacker gets away with valuable information from your company or not. Don’t rely on the TV ads promising to “stop identity theft before it happens”, or other wild claims to train your staff. Thats kind of like relying on the teenagers in the neighborhood to teach the children about love and relationships, hardly what you want them to learn. Those ads are misleading and have little to do with the realities of identity theft in the every day world.

Data Leak Reveals Massive Security Problems

2009-05-11T11:36:00.000-07:00

As I have said many times in this column I rarely write about specific instances of data theft or hacking into large servers at big organizations. The reason is simple, these incidents are so ubiquitous that they lose their impact. Recently U.C. Berkeley revealed that they have been hacked for a number of months to the tune of about 160,000 records. As stunning a revelation as that is I’m not going to comment on that at length. If you want to learn more about that go to http://www.mercurynews.com/.

What I think is more relevant to businesses today is this story.

NetworkWorld brings us inside the data leakage audit of a Boston-based pharmaceutical firm. During the 15-day review, auditors examined outbound e-mail, FTP and Web communications, revealing 11,000 potential leaks, more than 700 critical information leaks and violations of Payment Card Industry and other security standards. Among the "worst leaks:" confidential zip files and attachments sent by e-mail to an outside vendor; unencrypted e-mailing of a clinical study to an outside vendor; the mailing of employee compensation data to an outside company. "We thought we were in good shape..." said the company's CIO. "This just goes to show you can do all that and it's just not enough."

It is this kind of thing that business owners and executives need to read regarding identity theft compliance issues. I have never visited a business regardless of the industry they serve that does not need improvements in the way they handle sensitive documents, or personally indentifiable information of employees or customers. Even the best among companies who believe they are doing everything possible are at increased risk. As long as data has value it will be stolen or used for illicit purposes. Illegal data sale and identity theft are two very profitable kinds of crime with little chance of prosecution. I’ve mentioned before that the U.S. Secret Service, the agency charged with investigating identity theft crimes has gone on record saying that identity theft has surpassed the international drug trade as the most profitable crime in the world.
Every business no matter how large or small needs to accept that risk exists and initiate an identity theft compliance program appropriate to their business. It will only serve to increase the security of information in the company, and to lower the risk of a data leak or worse, identity theft resulting from personal information taken from the company.

State Secrets for Sale?

2009-05-08T09:24:00.000-07:00

Just in case you might think that data theft is something that happens to a few hapless individuals who are lax with their Social Security number read this.

The latest results in a five-years-running study might prompt some to review data destruction policies. University researchers in the U.K., Australia, and the U.S. purchased 300 drives from eBay and other retailers, finding that 34 percent of disk drives still contained confidential data. Banking details, blueprints, patient records, employee data, embassy logs and details on a ground-to-air missile defense system were among the data left behind. Study leads at the University of Glamorgan in Wales say that over the past five years the volume of drives containing sensitive data has fallen, but the volume of data exposed has increased.
Full Story

In my efforts to assist businesses with their identity theft prevention programs one of the areas that we try to cover is the disposal of hard drives. This article illustrates how important this is. Whenever replacing drives or exchanging computers make certain that drives are disabled. The sure fire way to do that is to break the disk or drive a nail through it. Under certain circumstances the data on a wiped disk drive can be recovered. Flash (solid state) drives should be physically destroyed when they are taken from service.
Another issue in the workplace is photocopiers. A copy machine can store thousands of documents in its memory. Since most businesses lease commercial copiers it is essential that the machines' drives be wiped clean before returning it to the supplier. The service technician for the leasing company knows how to format the copier drives, and should do that prior to removing the machine from the clients' office.

Ongoing Issues at the FTC

2009-05-07T10:14:00.000-07:00

Here are some issues the FTC currently has on the table with regard to data security and privacy.

Posted Tuesday, May 05, 2009 - Staff infoZine1.

1. The Federal Trade Commission testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information.

2. In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations.“A critical element of privacy is data security. If companies do not protect the sensitive consumer information that they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace,” the testimony stated.

3. The Commission made two further recommendations regarding the data security legislation: It suggested that the legislation be extended to cover data stored on paper, as well as electronic data. It also recommended that certain provisions imposing obligations on information brokers – companies whose business is to collect and sell information about individuals who are not their customers – be targeted specifically to address harms consumers may face when brokers sell information about them, to the extent that such harms are not already addressed by federal law. These provisions should not displace existing legal protections.The FTC currently enforces several laws that restrict the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts: the Fair Credit Reporting Act restricts disclosure of consumer credit reports except for specified permissible purposes; the Gramm-Leach-Bliley Act imposes privacy and security obligations on financial institutions; and the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce.

4. Using its authority under these laws, the testimony noted, the Commission has brought 26 law enforcement actions since 2001 against companies that allegedly failed to maintain reasonable procedures to protect consumers’ personal information, including a case the agency has just settled against James B. Nutter & Company. The company is based in Missouri and makes and services residential mortgage loans around the country. It collects information from loan applicants, including their Social Security numbers, financial information, and employment and credit histories. The Commission’s complaint alleges that, beginning in 2004, JBN engaged in a number of practices that taken together failed to provide reasonable and appropriate security for sensitive consumer information, in violation of the FTC’s Safeguards Rule. In addition, the complaint alleges that the company violated the FTC’s Privacy Rule by failing to provide privacy notices and, later, providing notices that were inaccurate. To settle these charges, JBN has agreed to a proposed order that would require it to establish and maintain a comprehensive data security program covering consumers’ personal information, and to hire an independent auditor to assess its security procedures every two years for 10 years, and to certify that these procedures comply with the proposed order. The proposed order also bars JBN from violating the agency’s Safeguards and Privacy Rules.The Commission previously has filed data security cases against retailers TJX, CVS Caremark and DSW Shoe Warehouse, and the data brokers ChoicePoint and Reed Elsevier, Inc., which operates Lexis Nexis and Seisint, Inc. The FTC also promotes better data security practices through extensive consumer and business education, the testimony stated. On the policymaking front, the FTC recently proposed a rule that would require that consumers be notified when the security of their health information is breached. In addition, the FTC is examining privacy issues associated with behavioral advertising and the use of personal health records and cloud computing networks.

5. The testimony also details the Commission’s activities with regard to inadvertent file sharing on P2P networks. Although P2P technologies hold potential benefits for computer users and businesses, they also can raise the risk that sensitive information will be made available over P2P networks, either through inadvertent sharing or through malware. The testimony noted that the agency has brought cases related to P2P file sharing, has helped P2P software developers devise voluntary best practices to help consumers prevent inadvertent file sharing, and continues to monitor efforts by companies to comply with these practices. The Commission also has held a workshop on P2P, issued a report, and alerted consumers to the risk of inadvertent file sharing. The testimony stated that the Commission also is supportive of H.R.1319, the Informed P2P User Act, legislation that would set a minimum standard for P2P software companies to follow in notifying consumers about what files a P2P program will share, and in obtaining consent from consumers before the files are made available. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through June 8, 2009, after which the Commission will decide whether to make it final. To file a public comment, please click on the following hyperlink:

http://www.ftc.gov/os/2009/05/0723108publiccomment.pdf and follow the instructions at that site.

We are seeing, among other things from the existing laws and the new bills being introduced by Congress, a new direction in privacy and data security legislation. The convergence of these discussions suggests that a common set of compliance and consumer notification regulations are nearer than previously thought. There are laws that focus on financial data, medical data, usage of Social Security numbers, credit cards and so forth. Until now each of these is based on a different set of data. As the new Red Flags Rule points out there is no real significance in the type of data as long as the data has a value to criminals and those who do not seek to protect but exploit the data. This kind of thinking is creating the unification of regulatory practices proposed by new bills such as HR. 2221.

Theft or loss of sensitive personal information, or the exploitation of sensitive information without regard to individual privacy cannot be tolerated in any form. Neither can failing to notify individuals who might be at increased risk. The responsibility to safeguard sensitive personal information is squarely on the shoulders of industry and government agencies that use and store the information. It is obvious that industry will not police itself as seems to also be true in our current economic crisis.
It is therefore inevitable given that reality that the regulating authority will step in and create a set of guidelines to compel industry to comply. I would urge every business and local government authority to pay close attention to these discussions above and realize that identity theft and data theft are with us, perhaps permanently, and will require diligence on everyones part, just as we do in other areas of modern life..

Hackers Break Into Virginia Health Professions Database, Demand Ransom

2009-05-05T09:41:00.000-07:00

Ask yourself this question. When my medical records are stolen and used for cash, or I can no longer get health insurance because my records have been corrupted and claims are made against my policy, or my vital information has been altered so that the information is no longer representative of me, what will Todd Davis of Lifelock, or Bo Holland of Debix, or Daryl Yurek of ID Watchdog do to help me? Will they provide me with ready access to attorneys who will represent me as a victim of Medical identity theft? Will they help me to sort out my records for accuracy, and help to amend my insurance claims history, and help to remove false claims from my records. Will they provide any assistance whatsoever for medical records fraud or theft, or ransom? I'm not attacking those individuals or their companies but they do not address the realities of identity theft beyond your credit report and new credit account requests.

Read on my friends,

Hackers Break Into Virginia Health Professions Database, Demand Ransom
From Brian Krebs The Washington Post

Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.
Wikileaks reports that the Web site for the Virginia Prescription Monitoring Program was defaced last week with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file.
Wikileaks has published a copy of the ransom note left in place of the PMP home page, a message that claims the state of Virginia would need to pay the demand in order to gain access to a password needed to unlock those records:
"I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The site, along with a number of other Web pages related to Virginia Department of Health Professions, remains unreachable at this time. Sandra Whitley Ryals, director of Virginia's Department of Health Professions, declined to discuss details of the hacker's claims, and referred inquires to the FBI.
"There is a criminal investigation under way by federal and state authorities, and we take the information security very serious," she said.
A spokesman for the FBI declined to confirm or deny that the agency may be investigating.
Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.
"We do have some of systems restored, but we're being very careful in working with experts and authorities to take essential steps as we proceed forward," she said. "Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete."
She added that the department does have a page online at www.dhp.virginia.gov that lists the phone and fax numbers for various state health boards, and that the state would continue issuing health care licenses and investigating violations of the law or regulations of state health licensees. This is the second major extortion attack related to the theft of health care data in the past year. In October 2008, Express Scripts, one of the nation's largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company

LexisNexis loses 32,000 from 2004 to 2007!

2009-05-04T10:10:00.000-07:00

I normally shy away from posting data breach notices. After all there are so many that we can be inured to the severity of each one. I posted this because while we debate how bad identity theft is thieves are having a field day at our collective expense. And it took two years for the notification to the potential victims to take place! Wake up folks! You cannot prevent these breaches. Be proactive and avail yourselves of a professional identity theft service that provides you with access to attorneys, and restoration from all types of ID theft. Databases are hacked routinely across the world, and by international crime rings. One of my favorite quotes is. "You have to participate in your own rescue." Go to the link to the I've been Mugged column in my links section for a very good article on this particular breach.

LexisNexis has notified tens of thousands that their personal information was exposed in a database security breach, reports the Associated Press. On Friday, the company sent letters to 32,000 people whose information is contained in the LexisNexis database and may have been accessed by fraudsters. Thieves accessed the data between 2004 and 2007 by breaking into the mailboxes of businesses that contained LexisNexis database information, the AP report states. Postal authorities have contacted about 300 of those affected to let them know the perpetrators, former LexisNexis customers, set up fake credit cards using their information. Full Story

Adopting a Written Identity Theft Policy

2009-05-04T08:56:00.000-07:00

In light of the recent extension by the FTC of the compliance phase of the new Red Flags Rule (FACTA) I began to wonder what business execs must be thinking. Are they simply in the dark as to whether their business is considered to be covered under this legislation? Are they unclear about being within the jurisdiction of the FTC? Are businesses confused about what compliance entails? Are they concerned about the costs, or a disruption in business? Are they fearful that compliance might expose serious flaws in their current practices? Or is the hubris such that they don't believe this is real and won't affect them? After all, some believe that if they have never had a problem so far why should they think it might happen now? One question that I might ask is. How do you know for certain that it hasn't happened yet? One very reliable national statistic out recently noted the results of interviewing thousands of small business owners. Only 6% of the small business owners surveyed could positively state that their business had not been the source of stolen data or identity fraud. It only takes a disgruntled or recently downsized employee a few minutes to download files onto a CD or flash drive and walk out. That can set into motion a very nasty series of events starting with identity theft episodes and law suits, and because of state notification rules, a possible loss of clients due to a lack of confidence. That is before the federal government steps in. The FTC has the authority to levy fines, prosecute, and require extensive audits. And the business may never discover the source ot the loss. As more people lose their jobs in the economic downturn cases like that are happening more often at businesses, medical facilities, local government agencies, and schools throughout the country.
Another relevant question is simply to ask what is the downside of a compliance program? After all, businesses comply with regulations all the time. They comply because the risk is such that non-compliance can be too costly, and of course because it is the right thing to do for reasons of safety or fairness.

I have studied the identity theft laws and regulations on both the state and federal levels sufficiently to know that they are fairly written and do attempt to stem the tide of data theft and fraud. Lets take the Red Flags Rule for example. Assessing risk and adopting an appropriate program is a very flexible part of the law. Companies are the best estimators of their risk if they are willing to accept that risk does exist and there is always room for improvements. Training of everybody on staff is the single most powerful part of the compliance procedure. After all it is the employees of a business that handle the data that is to be safeguarded and tested for accuracy. If everyone on staff knows what to do and how to respond to problems you put a serious dent in the risk to the company. Now, what company does not want to lower risk?

This should not be a topic for debate. It is the right thing to do for reasons of fairness and safety, and for most entities it can be done at very little or no cost. Every business whether covered or not should implement reasonable programs for their business. Where now is the downside?

If I ran a business that shared sensitive personal information on my employees with the business next door to mine who happens to be my payroll service, and I adopted a program such as described in the Red Flags Rule would I want that company next door to do the same? Yes! Is it because if I went through it so should he? After all it is only fair. No. It is because legally we share the responsibility and risk. Only by both of us adopting a plan we, (both businesses), lower our shared risk even more. That is the idea here. That is the reason for this law, for businesses to adopt a plan and see to it that the companies they share such information with do the same. The net result should be lowering risk to all of our businesses. Who are the winners? All of us as individuals are the winners. Our personal information is safeguarded and properly vetted to be true meaning that identity thieves have less a chance to co-opt our accounts, open new ones, and take over our good name. Shouldn't that be the goal of a good identity theft law? In 2008 there were an estimated 10 million U.S. victims of financial and non-financial identity theft combined. In 2008 businesses directly lost nearly $50 billion to identity theft. Could a well written identity theft law if applied have an affect on those numbers? I think so. Let's try it and see. What is the downside?

Taylor and Associates is prepared to assist any business with their program. Concerned about the sheer cost of using counsel to write a relevant plan for the board to adopt? We have taken care of that. We offer a framework for such a policy that any business can use and adopt to their individual needs. This policy framework was written by specialists in Privacy law to be consistent with the law, and by former Attorneys General as our panel of consultants. So now we have nearly or completely eliminated that cost. Next we train the staff. Do you need to hire expensive training consultants to perform that function? No. We are specially qualfied as Identity Theft specialists to handle that as well. The cost? How about an hour of their time. That is your cost for the training. We gather the staff together in as many meetings as it will take to eventually see everyone and give them a solid hour of orientation on the company policy as adopted by the board, and include awareness of the realities of identity theft for themselves and their families. After all identity theft can occur anywhere to anyone, no exceptions. Next we have to identify the person(s) responsible to administer the program for the business. Lastly in this case is to make notifications and communicate with the other businesses about your program and inquire about theirs. In any compliance program documentation is necessary to prove that compliance steps were taken and when. We provide all of the necessary documentation for everything mentioned above. After the program is begun we follow up as needed to update the program for all of our client businesses.

Now, lets add up the costs for these compliance services,
1. Written policy $0
2. Employee training $0 (one hour of time in mandatory company meetings)
3. letters and documentation $0
4. Notification letters and follow up with 3rd party and contractor businesses $0

No one can estimate the savings of a reduction in risk and potential liability. It cannot be done. Significantly lowering the risk of law suits and a loss of public confidence that results in losing customers could make the difference whether a business survives or fails in the most extreme cases, and at the least prevent identity theft. There is no downside to establishing an identity theft prevention program.
When can we start?

FTC Grants 90 Day Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Policy

2009-05-01T08:11:00.000-07:00

How about this?

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.

Here is the FTC website announcement,

http://www.ftc.gov/opa/2009/04/redflagsrule.shtm?goback=%2Ehom

This Just In!

2009-04-30T09:45:00.001-07:00

Red Flags Rule on Enforcement Eve

The FTC's Red Flags Rule goes into effect tomorrow. The rule intends to help prevent identity theft, reports InternetNews.com. "The Red Flags Rule covers what to do when, despite our best efforts, thieves steal data," said Tiffany George, an attorney for the FTC's division of privacy and identity protection. Prepping for compliance involves businesses' identifying their "red flags"--early indicators of suspicious or fraudulent activity. Compliance has come easily for some organizations affected by the rule, but for others the task has been more daunting. Some businesses have been surprised to find they fall under the rule's definition of "creditor." Full Story

FACTA Red Flags Rule enforcement begins

2009-04-30T09:20:00.000-07:00

Tomorrow, May 1st the Federal Trade Commission will begin the enforcement phase as regards the Red Flags Rule (FACTA). The FTC estimates that an additional 11 million U.S. businesses are to be compliant on this date. These 11 million businesses are in addition to the savings and banking institutions that were to be compliant prior to November 1st of 2008. FDIC and NCUA have jurisdiction over the banking industry’s practices and will enforce compliance and perform compliance audits within that group.

I have found that a lot of businesses don't understand that they are under the jurisdiction of the FTC. For example mortgage brokers, investment advisors, law groups, and others cite various different regulatory agencies that cover their businesses. What they fail to understand is that the FTC has sweeping jurisdiction of the business “practices”, not necessarily the business “functions” of these types of businesses. When it comes to billing, maintaining accounts, ethical transactional practices, and commerce in general the FTC is the federal authority. That can explain some of the confusion on the part of companies who are used to regulations surrounding the professional services they perform. Agencies and bodies such as the SEC, Departments of Justice, Commerce, BLM, etc and state and national BAR Assns. have authority to regulate certain industry practices, but the FTC is concerned mainly in this case with the “sale of goods or services” to the public and the personal information businesses collect. The Commission is concerned with the protection of the publics’ rights to fair treatment and protection from (sic)predatory or irresponsible actions on the part of business. That also extends to the safekeeping of the personal information companies maintain on their clients or customers, and adopting practices to identify, isolate, and report possible identity fraud.

The FACT Act (1999) and subsequently the Red Flags Rule (2007) was designed in part to protect the personally identifiable information businesses collect in the process of doing business. It outlines the methods recommended in collection of this type of information, identifying possible fraudulent information, the safekeeping once it is collected, and the disposal of the data once it is no longer of practical use by the business. Other aspects of the rule are concerned with the adoption of a company identity theft policy, the education of employees, and the identity theft policies of contractors and service providers.

There are other laws enacted that also cover these kinds of practices. The Gramm Leach Bliley Safety Rule (GLB), and the Health Insurance Portability and Accountability Act (HIPAA) are examples of these rules and regulate these practices for specific types of organizations. With the enactment of the Red Flags Rule there is an overlapping of some of these compliance regulations which is taking us in my opinion, to a more universal set of compliance guidelines for all businesses, non-profits, state and local government agencies to follow. As more data is collected from forensic studies subsequent to breaches and identity theft episodes, there emerges predictable practices that all entities should follow regardless of the industry type. We are also closer to a more universal reporting and notification regulation that hopefully will provide simple bright line criteria for any affected organization to inform the public when their information is at risk of identity misuse due to a breach or loss.

It is incumbent on all businesses or any entity that acts as a “creditor” or “financial institution” as defined by the FTC to assess that entities’ risk of data loss or accepting information that may indicate identity fraud. As I wrote in a previous column businesses are finding that this kind of assessment is helpful to the company as it brings this issue into focus. Having a plan for a business is essential whether it is about data loss, identity fraud, or about increasing revenue. And no business can afford the fallout from such an episode without a plan.

As to enforcement, Betsy Broder, Assistant Director for Privacy and Identity Protection for the FTC made it clear last week that enforcement will begin immediately and will begin with the most risky businesses that have done nothing to date regarding an identity theft program.

Taylor and Associates can assist any organization with their program, and provide the essential training and documentation required.

Study: Lost Laptops = Big Bucks

2009-04-23T10:11:00.000-07:00

From todays' IAPP bulletin,

The Mercury News reports on the results of an Intel-commissioned study on business costs associated with lost or stolen laptops. Over five months, researchers from the Ponemon Institute examined 138 lost-laptop incidents across 29 business and government organizations. The typical cost per laptop to employers was $49,246. Much of the expense derives from the valuable sensitive data contained on the missing machines. "With each lost laptop there is the risk that sensitive data about customers, employees and business operations will end up in the wrong hands," according to the Ponemon report. Full Story

HEALTHCARE PRIVACY IN THE U.S.

2009-04-20T10:15:00.000-07:00

As the American Recovery and Reinvestment Act of 2009 (ARRA), unfolds businesses are going to have to pay attention. This legislation will affect everyone in some way and knowledge of the law and how it pertains to business will be the responsibility of each individual business Board of Directors or owner.

The Department of Health and Human Services (DHSS), on Friday published guidance aimed at helping entities secure and protect health information. "Protecting patient privacy is a top priority and this guidance specifies proactive steps organizations can take to limit the potential harm a breach can cause," said HHS spokesperson Nick Papas. The guidance stems from requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act. It covers the standards for what makes PHI "secured," and a request for information related to the security breach notification requirements. Full Story

Just as the Red Flags Rule (FACTA) affects most businesses including those businesses who are not accustomed to FTC oversight, the HITECH Act will also impact the way businesses collect and use personal medical information.

ID Theft Red Flags Rule: Are You Ready for May 1? Part 2

2009-04-14T08:47:00.000-07:00

In yesterday’s column I wrote about the very positive benefits that can result from an organization initiating an identity theft policy. One more important benefit I didn't mention. The very fact that a business has gone through this process shows the commitment to increased awareness and a proactive stand on data theft, and should be made known to the public at large. Do you think that people will tend to choose businesses that have an identity theft program over those who do not? Of course they will, but only if they are aware that the program has been established.

Today I want to focus once again on the subject of what is a covered business compared to those who are not considered by the FTC to be covered by this particular law. The Red Flags Rule was written as an addendum to FACTA as a means of defining the circumstances that businesses who are affected need to focus on when opening new relationships with clients or when revisiting existing ones.
The Commission has identified a number of "red flags" which are indicators of possible identity fraud. Among other steps, anyone handling such information has the responsiblity to use a method of verification of such information that has been spelled out in a company identity theft policy. Does this mean that other businesses can ignore this legislation? Absolutely not. That's not all that businesses need to do. There are a host of daily office practices that should be addressed. Also the critical issue of determining the practices of each service provider or contractor a company uses cannot be overlooked. You share responsibility with each of them. Whether a business is considered covered by these rules or not it is good business practice to incorporate some of these steps to reduce the risk to the company, and to instill that culture of security within the company. That is simple good risk management policy.

Since last fall, the FTC has promoted an extensive outreach effort to explain the rule in greater detail, speaking at many business conferences, hosting seminars and the FTC's dedicated website on ID Theft Red Flags compliance. According to Betsy Broder, Assistant Director, Division of Privacy and Identity Protection for the Federal Trade Commission, many companies that didn't think of themselves as creditors now realize they are a covered entity under this rule.
Broder says the covered entities, no matter what their size, must design and implement a written identity theft prevention program. The rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," Broder says.

Under the ID Theft Red Flags Rule a creditor is:
· Any entity that regularly extends, renews or continues credit;
· Any entity that regularly arranges for the extension, renewal or continuation of credit;
· Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. But creditors do include:
· Finance companies;
· Automobile dealers;
· Mortgage brokers;
· Utilities;
· Telecommunications companies.

Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status, according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor. "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," Broder says.

Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA), fall under the FTC's jurisdiction.
With May 1 only a few weeks away, Broder pauses when asked for specific areas the FTC will focus on when enforcing the Red Flags rule. "It is hard to say when we get to enforcement stage what areas or industries we'll be looking at," she says. "But as in past enforcement activities, high-risk entities that have taken virtually no steps to mitigate risk or build a program will be on top of the list."

Taylor and Associates is ready to assist any company regardless of size or industry with its’ identity theft program. We can provide everything from a framework for a working policy to staff training and documentation, and including help in reaching out to contractors and vendors to ascertain their policies.

Remember, “When you protect the information you keep on others you are protecting them. When others do it they are protecting you.”

ID Theft Red Flags Rule: Are You Ready for May 1? Part 1

2009-04-13T16:35:00.000-07:00

Are businesses profiting from the process of establishing their identity theft response program? With the May 1st deadline fast approaching I found an article today that bears noting.

At a recent conference, an executive from a large creditor company told Betsy Broder, Assistant Director, Division of Privacy and Identity Protection at the Federal Trade Commission.
"This Red Flags rule was one of the best business exercises that his company had been through in years." The entire program's development forced the creditor to approach this issue in a much more logical, structured way, so that it now has one document that captured all of the company's fraud detection and response programs. "It made them approach it in a more holistic fashion," Broder says. "For that reason alone, they thought it was a beneficial exercise for them to go through."

I have written numerous pieces here and in other publications about the various benefits of having such a program. Companies can benefit in a number of ways from a culture shift as mentioned above, but also by training. At Taylor and Associates we focus on the benefit to the staff by providing a solid education of identity theft so they can better understand what we mean by identity theft. Not only what we see on television and the newspaper, but also the less understood and potentially more dangerous aspects of the crime. With this increased understanding employees are more apt to be proactive and protective with the files and information they handle on the job. Once armed with the knowledge of how identity theft can affect them and their families the more effective they are in joining the solution to combat identity theft.

These programs should be individually designed to bring each company into compliance with the law, but also to create the “culture of security” the FTC is trying to establish. This is most effective when management is committed to making the program work, and that all staff has been thoroughly oriented on their roles in implementing the program. Add to that the component of vendor oversight and you will have a healthy approach and response to the threat of data loss.

Tomorrow I will visit more of this article as we prepare to meet that May 1st deadline.

FTC Launches Red Flags Website

2009-04-06T10:06:00.001-07:00

After a year or more of confusion on the part of businesses and their counsel the Federal Trade Commission (FTC) has launched a Web site to help businesses and non-profits to come into compliance with the Red Flags Rules. The FTC will begin enforcing the rules on May 1. The site offers articles and guides for helping create identity theft prevention programs, a key requirement of the rules. The site also details which entities must adhere to the rules, which were created to reduce instances of identity theft. The FTC has also published a very good guide for businesses who must determine if they have “covered accounts” and how to go forward with their program. I have added a permanent link to the FTC Red Flags site to my links for your convenience.

Coming on the heels of the latest Health Information Technology for Economic and Clinical Health Act (HITECH) which has sweeping new notification requirements, and was signed into law by the President Feb 17th as part of the American Recovery and Reinvestment Act, it is now very clear that not only is the government going ahead with FACTA enforcement on May 1st, but is also addressing the varying discrepancies in state notification and reporting laws. The new federal notification law has a much lower threshold for reporting and will often constitute the rule for reporting breaches and the notification to all affected parties. Go to Ephemeralaw (link below), for a good overview of this new legislation.

Businesses need to take heed of these changes in the law and take the appropriate actions. Not doing so can result in serious penalties.

In spite of confusion and even resistance on the part of some companies it should be very clear that the paradigm has shifted regarding the protection of sensitive personal information. It is no longer possible to simply get by, every covered business must by law follow specific guidelines or face very serious consequences.

For any entity that identifies itself as needing to be in step with the FACTA Red Flags Rule Taylor and Associates provides a great deal of the framework for such a plan and policy including the employee training, documentation, and contractor/service provider oversight as well as an outline for an actual policy itself for identifying the red flags and a response plan. For any business who wishes more information about that program I can be contacted by way of my business website in the links portion of this column.

Compliance with new Identity Theft legislation

2009-04-03T09:15:00.000-07:00

This isn’t the first time I have written about the new Red Flags rule legislation, nor will it be the last apparently. It seems that a lot of business people want to weigh in on their own to declare proudly that they and their business are not covered by that law and to stop bugging them about it.

Here’s the rub with that. Unless you collect cash up front from all of your clients before rendering a service or product, and, have no employees, and do not have any financial relationships with individuals, your business, non-profit or local government agency is considered by the Federal Trade Commission to be covered. Now, my business is completely in step with this and other privacy laws so I really don’t care if your business is compliant or not. I do have the right however to refrain from doing business with you. I’m going to ask you to show me your policy program to prevent identity theft specifically in your company. If you can’t produce that document I will move on to another business. And I will advise everyone to do the same.
Its after May 1st and your business suffered a breach of information. You are required to notify everyone affected that you lost their information, and the federal auditors who will visit your firm are going to ask you to show them your identity theft plan. For your sake and that of your business I hope you can produce it.

Every few days in the last month or so I got an article or legal opinion from a different industry group advising their member businesses that they should be compliant prior to May 1st. Today it was the American Veterinary Medical Association. Last week it was the AM News, the news source for the AMA, the American Dental Association, and a state BAR. The legal profession is among the worst. I’m convinced that you can find General Counsel who will say almost anything the boss wants to hear. I can’t tell you how many GCs have told me outright that their companies don’t have to be concerned with these laws only to find out by actually reading the Act and seeking opinion from privacy specialists that they were wrong. Not to impugn the legal business but why do so many practicing attorneys take the automatic position that someone else is wrong on a subject they themselves know very little about? Pride is a dangerous thing when it is applied to business.

I don't mean to single out lawyers, they are not alone by a long shot. I had a nationally prominent accountancy and investment wealth advisory tell me outright that the FTC had absolutely no oversight of his industry! This finger pointing to the other guy, half-cocked opinions, and squirming leaves me to wonder. “What are these guys all afraid of?”

Now, this might not seem like the most pressing issue of the day to a lot of folks, but to the millions of victims of identity theft it is. And after looking at the penalties that have already been imposed on businesses that have suffered breaches, along with court actions on the part of victims no business wants that kind of liability. I have yet to find a business owner who has been victimized or knows someone who has that is reluctant to initiate an identity theft program for his or her business.
Its April 3rd, 27 days isn’t very long to get your act together

If You Are Me Then Who Am I?

2009-03-30T09:46:00.000-07:00

If You Are Me Then Who Am I? The personal and business reality of identity theft

I know I posted a recommendation for this book recently but it bears mentioning again. This book does a good job explaining just where we are with identity theft legislation, what we can do as individuals to protect ourselves, the steps most victims usually encounter when they are trying to go it alone to set the records straight, how the law works (or doesn’t work), and how smart businesses can fight the bleeding of sensitive information from their companies. There is an intersection where privacy law, privacy rights, and identity theft merge. This is really at the crux of what identity theft has become and how it affects us as individuals in more ways than we thought. If You Are Me delves into that rather sticky subject with the same objectivity that they treat the other topics they cover. Seeing the scenarios as they might play themselves out helps you to understand just how critical records accuracy is.

I chose early on to concentrate this column to business related topics. The subject is simply too vast for most mortals to tackle, but not the authors of this book. I recommend it to any privacy professional simply because it will shake up some preconceived notions we all have when our work is focused and rather narrow.The authors of this book have laid out in plain terms what the state of identity theft is right now, and where we have come in the past several years. No one can claim to know what will happen in the future of fighting identity theft so this book takes the intelligent approach of trying to prepare us with information and other tools.

Besides privacy specialists, anyone who thinks they know about identity theft and data loss should read it too.

Bravo to the authors!

Remember, “When you protect the information you keep on others you are protecting them. When someone else does it they are protecting you.”

Compliance? Fugeddaboutit!

2009-03-25T16:00:00.000-07:00

In my work of helping businesses to meet standards of compliance with FACTA and GLB requirements I constantly run into lazy attitudes regarding encryption, and basic steps like not recycling photo copies with sensitive data on them, lock files away, and so forth. For example, I was in a bank recently giving a talk on how data is stolen, and in the office area where I was speaking the Chief Loan Officer had his computer monitor facing the street by way of a huge picture window only 5 feet away. And in plain view of the public walking by!

The bottom line for me is pretty simple. Given the attitude on the part of businesses of all types and sizes, the massive holes in the PCI DSS and state notification legislation, why is everyone wringing their hands wondering what to do? Get a real (read professional), identity theft service that will actually help you when you need it, and largely put the issue to rest. This is not to say that we can stop pursuing compliance on the part of business. That is going to take a lot longer than necessary due to the reluctance of business to comply with some simple procedures. The problem for us is that identity thieves aren't going to wait. This set of crimes is increasing every year, and shows no signs of slowing down. I am addressing what we as individuals can do right now to protect ourselves proactively.

In 2001 I was a victim of identity theft that cost me over $26,000 dollars to solve, (is it really solved? I don't know), and 2 + years of agony. I can say without reservation that if I had the service I have now it wouldn't have cost me one dime more than my service. Not so incidentally $26,000 is over 18 years of my identity theft service, and it protects both my wife and me. Is that a cost effective service? I think so.

Now we are facing the Electronic Records Initiative as part of the economic recovery package. This is designed to compile all of our medical records in "cloud" servers available to, well, almost everyone. While this can be a massive cost savings to the health care industry, and potentially a great advantage for the individual when we seek medical help or prescriptions, it also opens a whole new set of security problems to solve. Medical identity theft is the fastest growing category of identity theft, and potentially the most dangerous. It can cost you your life. When will Americans wake up and realize that identity theft is a vast subject and a simple fraud alert or monitoring service will not help? And waiting to be a victim so your employer will buy you a year of free monitoring is not very smart either. We all need to take the initiative ourselves and stop our victim mentality.

How long did it take business to install ramps for people who needed them? ADA has been around for decades and we are still fighting that one. What makes anyone think this will be any different? Surely there are laws with very stiff penalties but mere laws won’t stop a good old American business from ignoring the facts. Even when this is presented as the right thing to do, appealing to a business owners’ sense of right and wrong a lot of them still don’t get it. Legislation is seen as an invasion to a business owner regardless of the nature of the law and it’s intention. It's an automatic reaction. The brain reels at the idea of compliance, a signal is sent throughout the body and, voila! Knee jerk! They see this as something they have to do for someone else that just gets in the way. I have often said that when you protect the information you keep on others you are protecting them. When someone else does it they are protecting you. Any business owner who has been a victim of identity theft does not have to be convinced that these laws are worthwhile. In fact in my experience they are eager to develop a plan to protect information, and are looking for guidance as to implementing such a plan.

Until such a time when all business and users of personal information take data security seriously we as the public need to take the initiative to safeguard ourselves. Don’t wait for them; it is a dangerous game with very high stakes for you. And without a good restorative service to be your advocate you will be left largely alone to suffer the misery of trying to fight the system in clearing your name and records.

Red Flag rules Deadline May 1st

2009-03-25T09:34:00.000-07:00

This morning William Morriss who is co-author of the blog Ephemeralaw, made the following post written by his colleagues Jane Shea and Gretchen Ackerman, (see links).
I cannot find a way to improve on the research and work they have done so I have obtained permission to post the article as published. As the controversy swirls about like a hot potato the May 1st deadline is fast approaching. I think one of the saddest aspects of this is that the individual is lost in the argument. And it is the individual that is supposed to be protected by these new rules. Compliance doesn’t have to hurt, and for most every business it need not be a financial burden. In the words of Kirk Nahra, a noted expert in privacy law. “It’s the right thing to do.” Once again, here is a solid article written by professionals, and aimed at businesses in America as a wake up call. For more from Ephemeralaw there is a link to their writings in my links below.

Thank you William, Jane, and Gretchen

Red Flag Rules - Deadline May 1

My colleagues Jane Shea and Gretchen Ackerman have published a new business advisory on the FTC red flag rules. I am posting it here with permission.The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA. The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008. Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, patient deferred payment plans, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:identify relevant Red Flags, and then incorporate those Red Flags into the Program; detect such Red Flags; respond appropriately to any Red Flags to prevent and mitigate identity theft; and ensure that the Program is updated periodically to reflect changes in risks to customers What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules. Thus, the Guidelines provide with respect to risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:a fraud or active duty alert is included with a consumer report a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report a consumer reporting agency provides a notice of address discrepancy identification documents appear to be forged inconsistencies between identification provided and the consumer's/patient's appearance or the information actually provided by the consumer/patient inconsistencies between personally identifying information provided and that obtained from external information sources a new revolving credit account is used in a manner commonly associated with known patterns of fraud.Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required. Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.

A New Link

2009-03-23T08:12:00.000-07:00

I am proud to add a new link to this blog site. John Gardner has been a professional friend and consultant for several years. John, or perhaps his wife and partner Elizabeth once coined a phrase. "It's hard being right.....early" When in 2005 they predicted against all odds (and some ridicule), that medical identity theft was going to be a major problem. Less than 3 years later medical identity theft has indeed become a very serious problem with millions of victims.....so far.

John co-authored a very comprehensive new book on identity theft from both the perspectives of individuals and business owners. Titled "If You Are Me Then Who Am I? the personal and business reality of identity theft." This book goes much further into the subject of identity theft and data loss than any previous book available to the public.
Additionally, John has begun his own website and commentary. For his opinions and positions please go to his site listed in my links.

Identity Theft Policy and Your Rights.

2009-03-20T08:24:00.000-07:00

I imagine that by now you have heard a great deal about steps all of us can take to prevent identity theft. Indeed there are things we can and should do to reduce our exposure to information theft. Shred credit card offers and bill statements before tossing them out in the trash. Check your bank and credit card statements as soon as they arrive in the mail, and report any suspicious items to the bank immediately. Don’t carry your Social Security card in your wallet or purse. Check your credit report often, or better yet have an identity theft monitoring service so you will know your credit report status at all times. If you use a computer then you face another set of privacy issues. You need sturdy firewall software protection. Never open suspicious emails, especially ones containing attachments. These are just a few of the measures we all need to take and are a critical part of our culture of personal security. The sooner these kinds of activity become part of our routine the better off we are.

But when was the last time anyone spoke to you about your legal rights to have your personal information protected by someone like your Alma Mater or your County clerk?

It has been a while since I wrote about all of the databases and lists where your personal information is kept. The bank comes to mind as a perfect example. Certainly they have some pretty personal stuff about your financial status and probably your SSN, home address, phone number, etc. How would you feel if they lost it to thieves? Well, there are literally thousands of places where your personal information is held. From your high school, college, medical records, property deeds, Human Resources files at your work, the federal government, to your county records. The list is almost endless. So called specialty databases like the Casualty and Loss databases kept by Choicepoint track every insurance claim made in your name. What if those entries are the result of identity theft? These and many other databases are kept on all of us, and the accuracy of those records is absolutely crucial. The problem is that databases are hacked and stolen constantly. These businesses that hold your information are supposed have procedures in place to protect that data from being lost, published, corrupted, or stolen. The problem is that a lot of them are not adhering to the government guidelines. A promise, a wink, and really good IT guy are no longer sufficient. There are no excuses for poor or even non-existent identity theft policies and practices on the part of any company. The government, by way of the FTC and other agencies has the power to prosecute the companies who have shirked their responsibilities.

Back in 2008 a new law went into effect that required all banks, S&Ls and Credit Unions in the United States to adopt written policy guidelines and response plans regarding data loss and identity theft. It outlines very specific procedures to be on the lookout for that might indicate possible identity theft. It is hard to say whether all banks have successfully completed that compliance or not. But we have the right to ask the bank to show us that policy, and the bank is obligated to produce it. It would certainly be among the first questions I would ask when shopping for a new bank. I would strongly advise everyone to exercise that right before doing business with any financial institution. Your personal data is at risk and you have the right to see that they are taking appropriate steps to protect it. Make them prove it to you.

As of May 1st of 2009 most every other business in the US will also have to adopt a similar identity theft prevention plan as called for in the 2007 FACTA red flags rule amendment. This would pertain to utility companies, accountants, real estate agencies, doctors’ and dentists’ offices, attorneys, universities, private and public school districts, local government authorities, department stores, medical clinics, any company that maintains a payroll, and anywhere you might have any sort of payment plan. Again, I strongly urge everyone to ask for that policy before entrusting your personal information to that business if at all possible. It is your right, and it is their obligation to produce the documents after May 1st.

Identity theft is now the most reported white-collar crime in the world. In the US alone we see an estimated 8 to 10 million victims each year. The great majority of the identity thefts are the results of data taken from databases, and to a lesser degree from personal theft. So it is incumbent on all business to comply with the governments’ mandated guidelines for the safekeeping of all personal information held on clients and employees alike.

The next time you consider any new business relationship or to check on the businesses that you currently have relationships with, please exercise that right to know how your personal information is being treated. Ask to see the policy document, they must show it to you. And for business owners, it is equally important for you to examine the identity theft prevention policy of any other business with whom you share data, such as HR or payroll services, accountancies, even office cleaning services for example.

Only by participation in such compliance on the part of every business can we begin to turn the tide of this rampant theft and sale of personal information. The formula is very simple, there is very little cost for most businesses, and can only result in a decrease in crime and a lowered risk for businesses and their executives.

Google?

2009-03-18T10:25:00.000-07:00

The Electronic Privacy Information Center epic.org yesterday asked the U.S. Federal Trade Commission to investigate the privacy and security safeguards of Google's cloud computing services, reports the New York Times. The formal complaint requests that the commission look into Google Docs, Gmail and other cloud services offered by the company. The filing cites a breach earlier this month involving Google Docs. "We think the time is right for the FTC to look more closely at cloud computing services," said EPIC executive director Marc Rotenberg. A Google spokesperson said: "We are highly aware of how important our users' data is to them and take our responsibility very seriously."

If You Are Me Then Who Am I?

2009-03-09T13:33:00.000-07:00

This new book If You Are Me Then Who Am I? by a couple of friends of mine is the best book on the subject I have seen to date. There is often a huge gap between what most authors write in books and articles and the reality of identity theft for both consumers and business executives. These gentlemen have laid out the realities as plainly as is possible for you to see. It’s all good information, and offered in the pracical spirit of informing the public. Both John Gardner and Jim McCartney are professionals engaged in the privacy business as Identity Theft specialists and are noted authorities. I have not had the pleasure to meet Mr. Omtvedt but my knowledge of the other authors and their work leaves no doubt.

Identity Theft Services

2009-03-04T14:42:00.001-08:00

I recommend that everyone avail themselves of an identity theft protection service. Similar to insurance in concept, such a service should provide professional services to the client who finds him or herself victimized by identity theft. Are all services equal? No. As we have already established identity theft can be divided into 5 major categories.

Theft of personal information to establish new credit accounts, take over existing accounts or otherwise establish retail purchases or cell phone accounts.
Theft of personal medical insurance data to obtain medical procedures, or to file insurance claims.
Theft of a drivers’ license in order to assume a new identity for a host of reasons ranging from commission of crime to obtaining employment, to air travel without otherwise proper identification.
Theft of another’s Social Security information to synthesize a new identity, gain employment, obtain insurance, file false IRS refund claims, etc.
Posing as another person so as to cause legal or libelous harm, perhaps even committing crimes and providing false identification to law enforcement. This type of identity theft is most common with illegal immigration. Often the result of a synthesized identity.

There are almost as many methods of obtaining the information, as there are thieves to steal it. Our information is under siege and no one solution will suffice in providing reasonable protection. We want a catch net type of service that will help us through most episodes of identity theft, foreseen or not. Although there are hybrid services that don’t quite fit into any one category, the basic types of service concepts are as follows,

Fraud alert services. Fraud alerts are free to anyone who reasonably suspects they are identity theft victims. The most common method is effective for 90 days, and is renewable with each credit bureau, although by law if one bureau is notified that bureau is responsible to notify the other bureaus. Under law (FCRA), before issuing new credit a business must contact anyone who has a fraud alert flag with the credit bureaus. Some companies acting on behalf of the client, set these alerts and advertise that this mechanism can“ stop” new account activity or "prevent" identity theft. Note; a significant number, but not the majority of new credit issuers, mostly retailers, do not run credit checks prior to issuing credit. A fraud alert service will only stopgap the setting up of new credit accounts.

Credit Monitoring. As the credit bureaus receive attachments from businesses and agencies describing activity from new accounts to payment activity, inquiries, etc credit monitoring services receive notices of those reports on behalf of the client and report that activity to the client depending on frequency from hourly to monthly. Somewhat broader in scope than fraud alerts, monitoring is reporting activity after the fact of the incident. Obviously the more frequent the monitoring activity the more effective the service.

Banks and Credit Card Companies often have products that provide identity theft services for their clients. The credit card companies are only interested in protecting that particular account from fraud. In other words they are protecting their own interest and the services do not extend beyond that account.

Banks have a variety of identity theft services but are fairly ineffective, and stripped down in the actual services they provide. All are administered by 3rd parties with whom the bank's service provider has a contract. It is very difficult to find who is actually performing the services, if any. They are largely based on insurance, (see below), and are tied to that bank to induce loyalty. If you close that account the services will stop. They also do not cover anyone other than the depositor. Generally there are two levels of service, free and fee based. Free is close to worthless, and the fee based version is a lower insurance deductable or slightly higher coverage, and a few ancillary services of little use to an identity theft victim.

Restoration. With a proliferation of new identity theft products on the market a lot of them claim to perform restoration of the client’s records. It is important to understand what each company means by restoration, and who performs the services of restoration. Very often the company is little more than a marketing firm and the restoration services are provided under contract with third party businesses not advertised in the literature. Some claim to have former law enforcement personnel on staff to ferret out thieves, some have caseworkers to represent the client during an identity theft episode. Ask about about the accreditation of these representatives, and the scope of their authority. Most of these services however, do not provide restoration for all of the forms of identity theft mentioned above. Instead they concentrate mostly on the financial types of the crime.

Insurance Any company that offers any sort of re-compensation insurance for loss or expenses us using the tactic of promising thousands or even a million dollars in insurance to lure customers. What they don’t tell you is that you first have to spend the money and then file an insurance claim. Also most of them have in the fine print of the contract language like “in the aggregate", indicating that this insurance amount is available over the lifetime of the client, not per incident. As we all know insurance claims are subject to underwriting and review by the carrier. Although they are obligated under insurance laws in each state most all claims are never paid because they don't meet threshold tests. Just to be clear, only the FDIC can insure money. The products can only claim to reimburse for out of pocket expenses related to resolving identity theft issues.

It is important to note that some companies offer to provide protection to entire families. This can be a little sticky. While it is important for adults to have identity theft services no one under 18 can legally obtain credit in the United States, or be held responsible for debt. Therefore minors should not have credit reports. If a report exists on a minor that might be an indication that identity theft has occurred in that minors' name. Parents should order copies of their minor children's credit reports by using http://www.annualcreditreport.com/ . There is no cost for that and can be done once every 12 months. There shouldn't be a report but if one does exist an attorney can contact creditors and authorities on behalf of the family of the minor to handle these issues.

In conclusion anyone looking into an identity theft service is wise to choose a company that is transparent about the scope and nature of the services they offer. You should be able to look up the members of the Board of Directors biographies, and information about the company itself. Never trust any business that hides its operations behind its products. They should be a professional privacy and risk management type of firm with demonstrable experience in safeguarding sensitive information. They need to offer a full restoration service preferably performed by licensed professionals. They should offer proactive searches of non-financial databases such as FBI, IRS, Postal authorities, DMV and SSA for example. Such searches turn up other types of activity that usually do not show up on credit reports. The company should provide access to attorneys for all of the legal aspects of identity theft. They should also provide regular communications with the client on a weekly or monthly basis irrespective of any identity theft episodes. Whether the client opts to have a fraud alert service or not credit report monitoring is essential as it picks up non credit notices in credit bureau files such as change of address requests, criminal attachments, etc. Those are in my opinion the minimum requirements for any good service. Beware of claims such as preventing identity theft or any guarantees of results. Identity theft is a changing set of crimes and frankly the legitimate world is constantly playing catch up and trying to be as forward thinking as they possibly can. We only have one identity to protect. Be certain that the service you choose is going to be there for you when you need it.

Protecting Employees?

2009-03-04T11:12:00.000-08:00

Who said that companies only have to be concerned with protecting the personal information of clients?

I have been reading and studying the privacy laws very carefully for several years and I've found the same thread over and over. These laws are in effect to protect the public from having their personal information stolen, lost, or otherwise misused. It's about identity theft, not compliance. And nowhere is it written that companies don't need to bother with employees' personal information.

Other laws require that companies who lose data contact everyone at risk that the information has been breached. Why do these so called "notification" laws exist? Is it so a business can be in compliance? No, it is to try and protect the public. Disregarding employee data from the mix won't help either. Aren't they part of the public too? Businesses have a special obligation to their employees.

Every expert in the field of privacy protection that I have read says the same thing when asked about which businesses are covered by which laws. The response is always the same. "It's the smart and responsible thing to do regardless of the nature of the business." If every business were to initiate a plan to safeguard the information they hold on employees and clients who would be left out?

On the practical side having such a plan which includes employees greatly reduces the employers' exposure to law suits filed by employees if they are exposed to increased risk at work. Arming employees with a good risk averse identity theft protection service can nearly eliminate lost work time on the part of employees and their families who have identity theft problems off the job too, if restoration is a part of the service.

Employers, toss out that compliance thinking and develop a mindset of complete security. You will accomplish a greater goal. It is to your advantage.

Remember, when you protect the information you keep on others you are protecing them. When someone else does it they are protecting you.

A Violation of your Privacy Rights

2009-03-03T08:08:00.000-08:00

I want everyone to read something posted by my good friends at I've Been Mugged .
If you are not aware of this you should be. When you bury your heads in the sand on issues of your personal privacy it is the same as agreeing to have your privacy invaded and being used for someone else’s gain with little or no regard for you. In my opinion George does a great public service by researching and bringing these issues to you.

A good friend once told me "If you don't know your rights you don't have any." My friends you have the right to not be treated in this cavalier fashion by companies posing as a service.

John

New Payment Processor Breach Reports Unfounded

2009-03-02T10:04:00.000-08:00

Last week's reports that another payment processor may have experienced a data breach remain unfounded and in a statement issued Friday, Visa said that new alerts recently sent to banks and credit unions regarding a compromise were part of efforts to clean up after an already-known breach, reports Computerworld. According to the report, the statement stands in contrast to those issued last week by Visa and MasterCard International, which suggested that a new breach had occurred.

I guess sometimes we are predisposed to "go to press" before we get more facts. Data breaches happen so regularly that we become inured to the impact of each and every case. I'm glad to set the record straight on this one.

John

A Culture of Compliance or a Culture of Security?

2009-02-27T11:19:00.000-08:00

In 2007 the Federal Trade Commission published a small booklet called Protecting Personal Information, a Guide for Business. It lays out steps any business should look at to improve its internal security practices. One of the paragraphs begins, "Create a Culture of Security". That term stuck with me and has become part of my personal lexicon when I talk about data loss in a business setting.

GLB and the new Red Flags Rule lay out in pretty specific terms a short list of simple steps every business needs to adopt across the board regardless of the industry. There are fundamental file types shared by all businesses like payroll and HR records, receivable accounts, and so forth that need to be safeguarded. Add to that client personal information, patient records for medical organizations, company intellectual property and strategies, and then the access other businesses have to that information by way of contract arrangements, and you have quite a lot to keep track of. Therefore, whether a business is an accountancy covered by GLB, or a bank subject to FACTA Red Flags, or any other business type, a written identity theft prevention and response policy adopted by a board or owners is the basic element. From that policy flows company-wide training, and documentation. Next, oversight into the identity theft prevention policies of the other businesses that can access the information makes sense to tie the program together.

Whether it is apparent or not every business looking into adopting an identity theft strategy has two basic choices in philosophy as to how they will approach their program.

First is what I call a Culture of Compliance. A culture of compliance is simply that. Looking at the letter of law and taking the traditional step by step route of signing off on each point of compliance. Now, this business might well be concerned about losing valuable information, and implementing their program for all the right reasons, but is their goal more skewed to compliance and business liability, or to lowering the risk of identity theft? The reason I say that is not to impugn anyone’s compliance program but to point out a subtle difference that can make a very large difference in how effective the program will be when it is put to the test. Compliance is almost always a top down policy adopted by management, explained in some detail to department heads and managers, and then finally presented to the rank and file as the new way to perform certain tasks. Employees are then instructed to sign off that they understand the new procedures, and that’s pretty much it.

Now on to the second choice a business has, a Culture of Security. In this mindset the policy begins in much the same way by being adopted by the board and then explained in detail to department heads, etc. Here is where the different mindset comes into play. It needs to be understood that no matter how simple or extensive a program it is the employee that protects the information, not management or department heads. While ultimately responsible management doesn’t necessarily handle the data personally. So it is essential to thoroughly educate the staff. Not just the IT or records keeping personnel but all staff.
Identity theft is a real crime with real victims. I don’t know anyone that doesn’t at least know one victim of identity theft. It touches all of us in some way. I hear devastating stories from victims all the time. This is at the heart of why a company needs such a policy. Certainly the business logic of preventing data loss is key to survival. I don’t want to minimize that, but I also don’t want to minimize the risk to the employees themselves, or the individual client. Their lives can be ruined by identity thieves in a number of ways. That can have a serious impact on the business too, from lost work-time to loss of public confidence and potential loss of clientele.
Training the employees, and I mean all employees, needs to include a solid awareness of the crimes of identity theft and how they themselves can learn to mitigate their personal risk as well as that of the clients. Those trainings are also an opportunity for the employees to offer their own solutions to how office flow might be tightened up and certain procedures changed to increase security. I have not visited a business yet that did not have issues that need improvement. That not only has the net effect of helping the staff but also sensitizing them as to the risk to the client. If you make the staff a part of the solution you have a much more effective program that grows away from management and takes on a culture of security. "When you protect the information you keep on others you are protecting them. When someone else does it they are protecting you." It is also imperative to offer the entire staff a mitigating identity theft service. It is not a matter of whether the company pays for that or if it is an employee option. It will have the net effect of protecting the company and the employee, and saving both money and time.

Which method will you choose for your business?

Another Payment Card Processor Breached

2009-02-25T10:43:00.000-08:00

Computerworld reports that another payment processor has been rocked by a security breach. Details are few and the affected company has not been identified, but according to reports, attackers breached a U.S.-based company, uncovering the account numbers and expiration dates of payment cards used in card-not-present transactions between February 2008 and January 2009. It is the third breach incident involving a payment processor since December, coming on the heels of Heartland Payment Systems' breach announcement just weeks ago. Visa Inc. and MasterCard International Inc. have begun notifying banks and credit unions of the compromise. Some fraudulent transactions have been reported as a result of this latest breach.

An Identity Theft Risk Management Program

2009-02-23T09:45:00.000-08:00

In the last four posts I have described the fundamentals of a good identity theft program that takes into account the basic requirements for all parties. There are also additional compliance requirements placed on specific industries such as healthcare, banking and so forth. But it is very important to have all of the fundamentals in place so the program will be more effective. Let me introduce you to the Affirmative Defense Response System offered to businesses from Pre-Paid Legal Services Inc..

First, we covered The Victim and the effects different forms of identity theft might have. We talked about the laws enacted to protect individuals from having their information stolen from databases, company spreadsheets, or HR files and used by thieves.

In The Company I described briefly that entities that keep information for business purposes have a legal responsibility to try and safeguard it. We then outlined the basic procedures that any business can undertake as the foundation of an identity theft prevention program. It is important to remind the reader that without these basics all of the higher order compliance procedures are much less effective.

Documentation Without documentation the company cannot mitigate its exposure to liabilities such as litigation, fines, prosecution, and damaged public relations.

There are companies that provide services to assist with portions of these necessary steps. Some offer training programs, some identity theft products for the employee or client. Some companies provide a complete response package of notification to potential victims, and forensic services to the affected business. In other words there are a number of companies that offer a lot of services to the business. The ones I have looked at are very good at what they do. They are also specifically in the business of providing only these types of compliance services.

Here’s why Pre-Paid Legal Services is unique and very effective. We are the only company in the field that not only offers a highly effective identity theft product to protect from all forms of identity theft, not simply from financial crime, regardless of how and where the crime occurs. It is also the only product that provides complete restoration of the victims’ identity again regardless of the nature. Restoration means no matter what records are affected, Kroll Fraud Solutions has licensed forensic investigators on staff to fully manage all of the restoration processes on behalf of the victim. We also offer the largest and most mature network of major law firms in each state and four provinces of Canada that will represent the client for all forms of identity theft if needed, with 24/hour access to their firm in emergencies, from anywhere in North America. For the 62% of all identity theft victims who have warrants issued in their name that can be very reassuring. (Sorry for the stat). Moreover the entire family has the services of their law firm for all of their life’s legal events such as mortgage contract help, help with estate planning, tax law help, representation in civil court, criminal court, and traffic court, and many other areas of law that otherwise most everyone cannot afford to use an attorney for. You should know that between these two public companies we have amassed over 70 years of experience in our fields. Pre-Paid Legal is celebrating it's 37th year of business this year. We don't do anything else. Those are very briefly our products. No other company in the world offers comprehensive identity theft and comprehensive legal services together as a suite of coverage.

Now on to identity theft help for a business. You recall that the first essential step is to enact a company policy illustrating the company’s position and procedures to protect information. We provide that written policy to the business at no cost. This document is the product of our Advisory Council and is current with the laws including all of the 26 red flags specified in the latest FACTA legislation. The Advisory Council is comprised of three former states Attorneys General, and the General Counsel of one of the nation’s largest energy companies. Each company is encouraged to make whatever changes to customize the policy to the nature of their industry. Next is employee training on the new policy, and a general awareness discussion of identity theft as it affects millions of Americans every day. A key reason for hands on meetings is the interchange if ideas, and the problem solving unique to every business. Very important is documentation of those meetings too. We also provide that hands on training and proof of training documents at no cost. In fact we provide all of the documents the business will need including letters notifying contractors and service providers of the policy. Once those are sent we can then follow up with each contracting company regarding their policy.

We have taken into account the needs of
· The client company by providing an entire package of identity theft prevention services at no cost to the company. Remember Kaiser? As I said before if they had provided the level of awareness training to all staff they might have avoided the recent breach of employee data. That is a very real advantage, and at no cost.
· We have offered all of the employees services that will greatly reduce their family risk while providing much needed help for the family in a number of areas. These voluntary benefits are typically paid for by the individual employee on a month-to-month basis.
· This, by the way also has the effect of limiting the company liability if an internal breach were to occur, since a mitigating service has previously been offered.
· Companies such as financial advisors, accountancies, banks and other financial services can optionally make this available also to clients, which will provide an early warning and restoration of possible identity theft episodes from any source.

Have I left out anyone? I believe not. I can provide all of the above for your company at no direct cost to the business, and provide substantial benefits to the staff that they can use from day one to help with all of the families' identity theft and legal issues they might be facing.

Documentation

2009-02-20T08:41:00.000-08:00

This is the fourth post in a series of five. A program such as a risk-averse compliance program has dual purposes.

First, a business wants to protect its clients and employees from identity theft. It's the responsible thing to do. The program I outlined in my previous column will greatly reduce the incidents of data loss. While nothing is foolproof a holistic approach is far more effective than a patchwork of compliance steps. For example, the Northern California “district” of the Kaiser hospital group had a large breach of personal information very recently. Kaiser takes its’ HIPAA responsibilities seriously. Part of that responsibility is to protect the privacy of the patient files in the Kaiser system. This breach however, was of employee HR file information, and is not covered under the HIPAA compliance requirements. Had the employer included the entire administrative team, payroll, HR, accounting, etc. into a company-wide data security culture they might have prevented that breach.

The other reason to initiate a personal information security program is to lessen exposure to risk and mitigate the company liability.
That is why documentation is so important. When an organization experiences a breach either forensic investigators from the Secret Service, or agents representing the FTC or law enforcement will want to see what the business has done to protect the information prior to the incident. Just as proof of insurance affects the outcome of a traffic accident, proof of an identity theft program will affect the outcome of a breach case. A carefully documented program is key. You need to document that you have enacted the policy, that everyone on staff has been exposed to the policy and has agreed to uphold the policy. Documentation naming the person(s) responsible for administering the program needs to be in the file along with notification to all contractors and service providers that the plan is in place and the business expects a similar policy to be in place with all contractors.

In the next post I will tie all of this together and show how Pre-Paid Legal Services Inc has developed a program that connects the dots and covers each aspect of what I’ve described in the last few posts. I’m proud to say that no other service exists that provides the uniquely comprehensive and "holistic" approach as the Pre-Paid program.

The Company

2009-02-19T10:26:00.000-08:00

In my previous post I outlined who are the victims of identity theft, and what they might expect to encounter in resolving the fallout from being a victim. In this post let’s take a look at the companies responsible for protecting databases and files. The reason for this is to illustrate that the majority of the information that is stolen and used by identity thieves comes from data files. Either by way of insider theft or by accidental exposure of personal information, the end result is the same. I'm not forgetting that here are also a number of incidents of personal theft, “dumpster diving”, computer data theft, mailbox theft, and so forth. There are steps that everyone can take to reduce that kind of risk. I will address that later. Again, for the victim it is less important where the theft occurred, and more important how to recover.

Every business, college, state and county, hospital, non-profit, utility, frankly everyone keeps records. If not on clients then on personnel, and usually both. Names and addresses along with employee numbers, bank account numbers, SSNs, credit report files, health information, are typical and are considered non-public information. The information in those records by law needs to be protected. Over a number of years dozens of federal and state laws have been enacted that rightfully place the security responsibility on those that keep the records. When they lose that information no matter how it happens scenarios like the ones described in my Victim post can occur.

The fallout affects both the individual victim, their families, and of course the business. Several things can happen when a database is breached. First, the company will need to make a public notice to all potential victims that their information is at risk of identity theft. Statistics show that when that happens 40% of all clients will cease doing business with them, 20% will seriously consider it, and 5 to 10% will sue. I know I said I would refrain from stats but those numbers are staggering. That is just the beginning. The laws all have civil or criminal penalties, and individual and class actions could be likely.

What is a business to do?
There are a number of steps any business can take. Large and high tech companies have vast resources, and can take such steps as hiring permanent privacy and security officers to manage a data security program. Banks, S&Ls and lenders have certain extra responsibilities to insure the accounts they have are genuine and are not the result of stolen or falsified information.
Also encryption programs and procedures are required of insurance and financial organizations such as financial advisors, and accountancies. All businesses however, can take other reasonable steps given their individual resources.

These remaining reasonable steps revolve around awareness. Regardless of the size and nature of a business these are crucial in a "culture of security." Developing a written plan and strategy is the first step in any identity theft program. This policy once approved becomes the engine that drives the program. Next is naming the individuals responsible to implement the plan. Next and perhaps most importantly is to discuss the plan with all employees in general safety meetings, and make them aware of their responsibilities under the plan. This is also a good opportunity for feedback from the staff as to how the company might tighten security around record keeping and office procedures. Another important step needs to be taken in order for the plan to be effective. That is working with any contractor or service provider business to insure that the security practices of that company are of similar caliber. Lastly, make some sort of notification system available to clients and employees if possible identity theft episodes have occurred from any source, not just from the company. Any business that has performed these steps will be considered to have taken the reasonable steps required by the FTC to comply with the spirit and intention of the privacy legislation.

The Victim

2009-02-18T08:32:00.000-08:00

In my last post I said that at Pre-Paid Legal Services we take into account the employee of a business, the customers of the business, the business itself, and other companies that have a business relationship with them. In this post I want to focus on the individual victim. Victims can be employees, customers or simply someone unfortunate enough to have their information stolen as the result of a breach of records, like from a county or former university for example.

I want to write this series without relying on statistics to make my point. I wade through mountains of identity theft statistics almost every day. Some are so contradictory as to negate their conclusions, and a lot of data and surveys you see from companies are simply skewed to validate preconceived ideas of the company and their product. One fact is irrefutable however. No victim of identity theft cares about statistics, only what resources they need to try and solve their problem. The effectiveness of a service to aid the client is the only statistic that matters.

First, lets’ recognize identity theft as the crime that it is. It is most assuredly not victimless as I can personally attest to. You become one of about 10 million North American victims each year. Your local police and County attorney can’t help you. The Attorney General of your state can’t help you. With very rare exeptions these agencies simply do not have the resources to help individual identity theft victims. Every victim is on their own to plow through the maze of issues they need to resolve in order to try and put the episode behind them. That bears repeating. Every victim of identity theft needs to be actively engaged in dealing with their own identity theft rescue. So, when you become the victim of identity theft you want help plain and simple. As it is with anything every victim wants to be able to pick up the phone and know that the person on the other end will help them.

This is a lot more than working with your bank to get your account straight, although that can be difficult enough. I've often said that victims of financial (bank account), identity theft are fortunate! It is the easiest type of the crime to resolve. However, identity theft might involve representation with the IRS in the event your SSN has been used to obtain employment, or to make false tax filings to get refunds, or not paying taxes at all. Your situation might involve the use of your medical insurance to file false claims, or receive medical services leaving you stuck with the bill and incorrect medical records. It might be one of using your identity in the commission of a crime, or a number of circumstances where an attorney will be your best advocate. Remember, identity theft is a crime, and crime is a legal issue

You will also need your records scrubbed of false entries after the fact. It will likely involve the credit bureaus, but also many other local, federal and private databases that can contain untrue entries and documents depending on the nature of the crime. You will need to have those records restored to their pre-theft status. That can take years.

In my next post we will look at those databases and the businesses that keep them.

What do I do?

2009-02-17T18:19:00.000-08:00

After writing this column for over a year it seemed a good idea to share exactly what it is that I do in the field of identity theft. Over the next few posts I hope to lay out what it is that makes our suite of products and services uniquely better suited to deal with identity theft. And then how I fit into it.

The company that I represent is Pre-Paid Legal Services Inc.. A Couple of years after being victimized by identity theft in 2000 I found this company. When I saw what they offer to customers I realized right away that they had the best answer to identity theft.
There are a lot of products flooding the market that say they can, “stop identity theft in it’s tracks”, or “track down the perpetrator”, “prevent the crime from happening”, “insure your losses”, and all sorts of claims. The truth is all of them are simply selling you a product. The good news is that most all of them have at least some merit, and a few are very good. I am not going to comment on the claims you see in their ads, nor will I go into any kind of comparison here, I’ll leave that up to you.

What I want to accomplish in the next few posts is to explain how the products and services of Pre-Paid can be the most elegant, solution-oriented products that take in to account the company that might have data to protect, the employees of that company, the clients or customers of that company and the other businesses that do business with that company. And also the future of identity theft no matter what direction it takes.

FAA Employee Database Hacked

2009-02-17T13:47:00.000-08:00

And the beat goes on....

The Associated Press reported last week that hackers broke into a Federal Aviation Administration employee database accessing the personally identifiable information of 45,000 employees and retirees. The break-in was disclosed by the FAA in an announcement to union representatives. An FAA representative confirmed that the event took place last week.

Tom Waters , president of American Federation of State, County and Municipal Employees Local 3290 said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006. Social security numbers can be used to steal identities for illicit purposes.
Waters said the other file contained medical information that was encrypted.

An FAA contracts attorney complained that federal computer systems "should be the best in the world" and not vulnerable to hackers; the FAA said this was the first incident of its kind to affect the agency.